The ability to control the SSO Auth expiry time

I have implemented SSO auth with Azure AD in our lab environment and it works well, however, having to reauthenticate every hour to access the network may become frustrating for users in some cases. It would be great if we had the ability to adjust the auth expiry time ourselves please.

All OIDC/SSO timeouts are controlled by the SSO server. In your case, that means they’re controlled by Azure AD. The timeouts provided by the SSO server are followed and enforced by ZeroTier. You’ll want to, at the very least, ensure Refresh Tokens are enabled as well. ZeroTier will automatically refresh the rotating tokens in the background.

Refresh & authorization tokens are only stored in RAM, so shutting down the computer, or sometimes sleeping too long will require a reauth to the OIDC server.

I was reading on this topic. It seems that the OIDC spec requires an explicit request of the offline_access scope in order to receive long-lived refresh tokens.

See here:
Microsoft identity platform scopes and permissions - Microsoft Entra | Microsoft Learn

This element is in the Azure AD > App Registrations > Your ZT App > API Permissions area. Select Add A Permission > Microsoft Graph > Delegated Permissions > offline_access

I do not know the ramifications of doing this, but that appears to be a feature related to the refresh tokens for extended sessions.

@paul.swaim That’s an “optional” part of the spec, and doesn’t necessarily mean you must have it present in order to get refresh tokens. Different providers do it different ways.

However, the offline_access scope is requested by default for most OIDC providers we support. The only ones we don’t request it on are:

  • OneLogin: doesn’t support that scope for PKCE clients. They still give you a refresh token even without it
  • Keycloak: offline_access can be requested, but is not required for refresh tokens.

Auth0 was the only provider I came across in testing where offline_access MUST be present to get a refresh token.

By default, Azure AD clients do indeed request the offline_access scope.

1 Like