Tokens

Access token

access token lifetime: 5 minutes

ID token

The lifetime of an ID token is 4 hours. Example of an edu-ID ID token: 

{
  "at_hash": "qveVeMmfX3Gyd6l5YwqHZg",
  "sub": "MA2ZRIYFC67J6MEXNA4LMSNQB7ZFMN5Y",
  "aud": "apache_mod_openidc_testing",
  "acr": "password",
  "swissEduPersonUniqueID": "21902396667@test.eduid.ch",
  "auth_time": 1646151333,
  "iss": "https:\/\/login.test.eduid.ch\/",
  "exp": 1646165737,
  "iat": 1646151337,
  "nonce": "Epg0I0IH3xeuZ2Em1JjzVmLZKX_M452HX0bBAIUAzeo",
  "swissEduIDLinkedAffiliationUniqueID": 
    [
      "13874948@unidemo.ch",
      "1294723@example.org"
    ]
}

Refresh token

The edu-ID IdP supports refresh tokens.

refresh token lifetime: 30 days

Token Revocation

The edu-ID IdP supports token revocation according to RFC 7009. The Token endpoint can be found in the configuration
https://login.eduid.ch/.well-known/openid-configuration

Client applications that request and make use of refresh tokens are requested to offer token revocation for their users.

The OIDC currently does not support single logout (SLO). Token revocation mitigates the problem in part by cutting off access to a specific client.