Configurable Expires for auth tokens generated by TIB

When setting up a proxy provider to issue temporary auth tokens, how do we set the TTL on those auth tokens?

I’m not seeing an option in the proxy provider config:
https://tyk.io/docs/tyk-identity-broker/social-examples/generate-auth-token-via-the-proxy-provider/

What would be awesome is if there’s a way that we could specify this somewhat programmatically so that passing something like ‘remember_me’ to the TIB proxy request could use a default long TTL and not passing it would use another default short TTL

Based on the TIB code, it looks like I can set Expires inside the IdentityHandlerConfig like so:

"IdentityHandlerConfig": { "DashboardCredential": "99999999999999999999999999", "DisableOneTokenPerAPI": false, "TokenAuth": { "BaseAPIID": "999999999999999999999999999", "Expires": 72000 } },

However, that has no effect on the redis TTL for the token. Perhaps this TTL is stored somewhere else? If so, why not just use the redis TTL?

That’s correct, this will set the expiry of the key, that’s not the same as the TTL.

We intentionally don’t set the TTL because you may need to renew a key that already exists.l and you want to tell users of an expired key that it has expired, not that it is missing/deleted.

There is an API specific session timeout, which can be set to have a maximum TTL for a key outside of the expiry but this TTL does not get extended if the key is used, so needs to be significantly longer than the potential lifetime of the key.

Hope that makes sense :-/

M.

Ah, thanks for the clarifications Martin.

Makes sense on the Redis TTL. That’s true, the difference between expired and DNE is important.

Yes, the API specific timeout will work well for our case as we can make that something like 1 week and make the Expire 1 day.

Is that the “session_lifetime” key in each api definition?

Yep that’s the one :slight_smile: