Hi,

 

I’m finding that access tokens and refresh tokens are being invalidated after the setting in the “SSO Session Idle Timeout” has elapsed for the direct-grant API.  Considering the direct-grant API enables browser-less application-to-application security, I’m not convinced that this is the right approach for many use cases.  For reliable authorization and access token validation, it basically requires setting the “SSO Session Idle Timeout” to the value of the Access Token timeout, which for many use cases will be measured in hours or even days.

 

Is there a good reason that “SSO Session Idle Timeout” should even be considered for direct-grants?

 

Thanks,

John