Configure expiration time for access tokens in Spring Authorization Server

A big advantage of OAuth2 is that it can allow us to limit the amount of time a request with a particular access token is allowed to use resources. An access token will determine its expiration time, API resources will rely on this expiration time to decide whether to allow a Client Application to continue accessing resources or not? Using Spring Authorization Server to implement Authorization Server, how to configure expiration time for an access token? We will find out together in this tutorial!

The first thing you need to know is, we will use the TokenSettings class of the Spring Authorization Server to configure some information related to the access token. Currently, you can configure expiration time, reuse refresh token, refresh token expiration time, ID token signature algorithm.

To configure expiration time at the system level, apply it to all clients in the system, you can define a bean of TokenSettings as follows:

@Bean
public TokenSettings tokenSettings() {
  // @formatter:off
  return TokenSettings.builder()
      .accessTokenTimeToLive(Duration.ofMinutes(30L))
      .build();
  // @formatter:on
}

@Bean

public TokenSettings tokenSettings() {

// @formatter:off

return TokenSettings.builder()

.accessTokenTimeToLive(Duration.ofMinutes(30L))

.build();

// @formatter:on

}

Then in the declaration of each RegisteredClient, you declare more information about tokenSettings as follows:

// @formatter:off
RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())
    .clientId("huongdanjava1")
    .clientSecret("{noop}123")
    .clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)
    .authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)
    .tokenSettings(tokenSettings())
    .build();
// @formatter:on

// @formatter:off

RegisteredClient registeredClient = RegisteredClient.withId(UUID.randomUUID().toString())

.clientId("huongdanjava1")

.clientSecret("{noop}123")

.clientAuthenticationMethod(ClientAuthenticationMethod.CLIENT_SECRET_POST)

.authorizationGrantType(AuthorizationGrantType.CLIENT_CREDENTIALS)

.tokenSettings(tokenSettings())

.build();

// @formatter:on

I’m declaring RegisteredClient with TokenSettings in a Java class file, if you define it in 2 different class files, you can use the @Autowired annotation, then inject the TokenSettings bean and then use it in the RegisteredClient’s tokenSettings() method.

If you want a specific expiration time for each RegisteredClient, please initialize new and use the TokenSettings object for that RegisteredClient object.

Run the example in the tutorial Implement OAuth Authorization Server using Spring Authorization Server with above TokenSettings configuration:

then parse the content of the access token using https://jwt.io/, you will see when the issued access token is issued at:

the expiration time will be:

The default expiration time of an access token in the Spring Authorization Server is 5 minutes!

2.5/5 - (2 votes)

7 thoughts on “Configure expiration time for access tokens in Spring Authorization Server”

Odesto

27 August, 2023 at 11:57 pm

Thank you!

22 January, 2022 at 7:21 am

Will it be possible to add additional parameters in the token? How to add them?

Pavucsan Manokaran

30 November, 2021 at 5:54 pm

The question in spring security,
I have 2 microservice one is auth-server and another one is app1-service.
auth server provides jwt-token(user-management service) and app1-service that is a resource-server of auth-server.
(access_token_expire_time=30min)

when I use spring security, app1-service using jwt-token to access the API and jwt-token will check with auth-server at the first time only then next time API work with jwt-token information until the token expires (based on JWT-token concept).

problem:
when I logout of the access_token through auth-server, app1-service(resource-server) never works with that token.
so, what are the configuration I should do? could you give me an idea…