Why doesn't the token expire after 5 minutes?

ElizavetaBelskya · March 24, 2024, 10:41am

I have a couple of questions about the configuration of authentication via tokens for users.

The access token expires in 5 minutes, but I can make requests and get the result without getting a 401. I do not know why this is so. I didn’t set up the session additionally.
I use Spring Boot with oauth2-resource-server:
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf(AbstractHttpConfigurer::disable);
http.authorizeHttpRequests(x →
x.requestMatchers(“/users”, HttpMethod.POST.name()).permitAll()
.requestMatchers(“/login”, HttpMethod.POST.name()).permitAll()
.requestMatchers(“/refresh”, HttpMethod.POST.name()).anonymous()
.anyRequest().authenticated());
http.oauth2ResourceServer((oauth2) → oauth2.jwt(Customizer.withDefaults()));
return http.build();
}
After updating the refresh token, I can still use the old tokens. This way, I get two pairs of tokens for one user that can be used. Perhaps this is the default behavior. Help me set it up, please.

appsec_hero · March 25, 2024, 1:26am

Hello,
Regarding point 1 : to which endpoint you are sending the HTTP request ?

Topic		Replies	Views
Access tokens expiring after 5 minutes regardless of lifetime set when ajax calls are involved	2	1319	March 6, 2023
Refresh token expiration time does not renew on usage Configuring the server token-exchange	1	4449	February 20, 2024
Keycloak server issuing already expired tokens Securing applications oidc	6	9255	November 8, 2023
Remove Token When Session Terminates Configuring the server	0	1042	March 2, 2021
Token refresh extends user session Getting advice authentication , token-exchange	3	1193	February 8, 2024