Lifetime of tokens and authorization timeout for Identity and Access Manager

When configuring Identity and Access Manager (also referred to as IAM), you must specify the settings for the token lifetime and authorization timeout. The default settings are designed to reflect both the security standards and the server load. However, you can change these settings according to your organization's policies.

IAM automatically re-issues a token when it is about to expire.

The table below lists the default token lifetime settings.

Token lifetime settings

Token

Default lifetime (in seconds)

Description

Identity token (id_token)

86400

Identity token used by the OAuth 2.0 client (that is, either Kaspersky Security Center Web Console or Kaspersky Industrial CyberSecurity Console). IAM sends the ID token containing information about the user (that is, the user profile) to the client.

Access token (access_token)

86400

Access token used by the OAuth 2.0 client to access to the resource server on behalf of the resource owner identified by IAM.

Refresh token (refresh_token)

172800

The OAuth 2.0 client uses this token for re-issuing the Identity token and the Access token.

The table below lists the timeouts for auth_code and login_consent_request.

Authorization timeout settings

Setting

Default timeout (in seconds)

Description

Authorization code (auth_code)

3600

Timeout for exchanging code for the token. The OAuth 2.0 client sends this code to the resource server and gets the access token in exchange.

Login consent request timeout (login_consent_request)

3600

Timeout for delegating user rights to the OAuth 2.0 client.

For more information about tokens, see the OAuth website.

See also:

Enabling Identity and Access Manager: scenario

Page top