Tokens

Access token

access token lifetime: 5 minutes

ID token

The lifetime of an ID token is 4 hours. Example of an edu-ID ID token: 

{
  "at_hash": "qveVeMmfX3Gyd6l5YwqHZg",
  "sub": "MA2ZRIYFC67J6MEXNA4LMSNQB7ZFMN5Y",
  "aud": "apache_mod_openidc_testing",
  "acr": "password",
  "swissEduPersonUniqueID": "21902396667@test.eduid.ch",
  "auth_time": 1646151333,
  "iss": "https:\/\/login.test.eduid.ch\/",
  "exp": 1646165737,
  "iat": 1646151337,
  "nonce": "Epg0I0IH3xeuZ2Em1JjzVmLZKX_M452HX0bBAIUAzeo",
  "swissEduIDLinkedAffiliationUniqueID": 
    [
      "13874948@unidemo.ch",
      "1294723@example.org"
    ]
}

Refresh token

The edu-ID IdP supports refresh tokens.

refresh token lifetime: 30 days

Note: The clients gets a new refresh token with each sucessful request to the token endpoint. Consequently, it is possible that a user may have to re-authenticate only after more than 30 days, if the client was sufficiently often active in the mean time.

Token Revocation

The edu-ID IdP supports token revocation according to RFC 7009. The Token endpoint can be found in the configuration
https://login.eduid.ch/.well-known/openid-configuration

Client applications that request and make use of refresh tokens are requested to offer token revocation for their users.

The OIDC currently does not support single logout (SLO). Token revocation mitigates the problem in part by cutting off access to a specific client.