gifted-optician-26741
11/17/2024, 9:12 PMbrief-egg-61061
11/17/2024, 9:12 PMbrief-egg-61061
11/17/2024, 9:13 PMtypescript import { Configuration, OAuth2Api } from "@ory/client" const ory = new OAuth2Api( new Configuration({ basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`, accessToken: process.env.ORY_API_KEY, }), ) export async function setClientLifespans(clientId: string) { await ory.setOAuth2ClientLifespans({ id: clientId, oAuth2ClientTokenLifespans: { authorization_code_grant_access_token_lifespan: "1h", authorization_code_grant_id_token_lifespan: "12h", authorization_code_grant_refresh_token_lifespan: "24h", client_credentials_grant_access_token_lifespan: "1h", implicit_grant_access_token_lifespan: "1h", implicit_grant_id_token_lifespan: "12h", jwt_bearer_grant_access_token_lifespan: "1h", refresh_token_grant_access_token_lifespan: "1h", refresh_token_grant_id_token_lifespan: "12h", refresh_token_grant_refresh_token_lifespan: "24h", }, }) }
This code allows you to set custom lifespans for different token types and grant types for a specific client [Configure token expiration time](https://www.ory.sh/docs/hydra/guides/client-token-expiration). You can adjust the values (e.g., "1h", "12h", "24h") according to your needs. Remember that the maximum age for refresh tokens is 6 months, as they must be rotated at least every 6 months [OAuth2 refresh token grant](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#change-refresh-token-lifespan). If you prefer using the Ory CLI, you can create a client with custom TTL settings, but the process involves creating the client first and then updating its lifespans. The CLI doesn't provide a direct way to set custom TTLs during client creation.gifted-optician-26741
11/17/2024, 9:13 PMbrief-egg-61061
11/17/2024, 9:13 PMbrief-egg-61061
11/17/2024, 9:14 PMory patch identity-config --project <project-id> --workspace <workspace-id> \ --replace "/session/lifespan=720h" \ --format yaml
This command sets the session lifespan to 720 hours (30 days) [Session lifespan](https://www.ory.sh/docs/kratos/session-management/session-lifespan). However, this is different from creating an OAuth2 client with a custom TTL. If you specifically need to create an OAuth2 client with custom token lifespans, you would typically use the Ory CLI or Hydra CLI, not the Kratos CLI. If you have a different aspect of Kratos in mind or if I misunderstood your question, please feel free to clarify, and I'll do my best to provide accurate information based on the available knowledge sources.brief-egg-61061
11/17/2024, 9:15 PMbrief-egg-61061
11/17/2024, 9:15 PMdocker run --rm -it --network hydraguide oryd/hydra:v2.0.1 \ create oauth2-client \ --endpoint <http://ory-hydra-example--hydra:4445> \ --grant-type client_credentials
This command will output the client ID and secret [Run your own OAuth2 Server](https://www.ory.sh/run-oauth2-server-open-source-api-security/#performing-the-oauth2-client-credentials-flow). 2. After creating the client, you can update its token lifespans using the setOAuth2ClientLifespans
method. However, the Hydra CLI doesn't directly expose this method. Instead, you would need to use the Ory CLI or the SDK to set custom lifespans. Using the Ory CLI, you can update the token lifespans for a specific client like this: ory update oauth2-client <client-id> \ --project <project-id> \ --workspace <workspace-id> \ --authorization-code-grant-access-token-lifespan 1h \ --authorization-code-grant-id-token-lifespan 12h \ --authorization-code-grant-refresh-token-lifespan 24h \ --client-credentials-grant-access-token-lifespan 1h \ --implicit-grant-access-token-lifespan 1h \ --implicit-grant-id-token-lifespan 12h \ --jwt-bearer-grant-access-token-lifespan 1h \ --refresh-token-grant-access-token-lifespan 1h \ --refresh-token-grant-id-token-lifespan 12h \ --refresh-token-grant-refresh-token-lifespan 24h
Replace <client-id>
, <project-id>
, and <workspace-id>
with your actual values. You can adjust the lifespan values as needed. It's important to note that while we're using the Ory CLI in this step, it's interacting with the Hydra OAuth2 server to set these lifespans [Configure token expiration time](https://www.ory.sh/docs/hydra/guides/client-token-expiration). Remember, the maximum age for refresh tokens is 6 months, as they must be rotated at least every 6 months [OAuth2 refresh token grant](https://www.ory.sh/docs/oauth2-oidc/refresh-token-grant#change-refresh-token-lifespan).gifted-optician-26741
11/17/2024, 9:16 PMbrief-egg-61061
11/17/2024, 9:16 PMbrief-egg-61061
11/17/2024, 9:17 PMhydra create oauth2-client \ --endpoint <http://ory-hydra-example--hydra:4445> \ --grant-type client_credentials
This command will create a new client and output the client ID and secret [Run your own OAuth2 Server](https://www.ory.sh/run-oauth2-server-open-source-api-security/#performing-the-oauth2-client-credentials-flow). 2. After creating the client, you can update its token lifespan using the Ory CLI. For a client_credentials client, you'll primarily be interested in setting the client_credentials_grant_access_token_lifespan
. Here's how you can do it: ory update oauth2-client <client-id> \ --project <project-id> \ --workspace <workspace-id> \ --client-credentials-grant-access-token-lifespan 2h
Replace <client-id>
, <project-id>
, and <workspace-id>
with your actual values. The 2h
in this example sets the access token lifespan to 2 hours for the client_credentials grant. You can adjust this value as needed [Configure token expiration time](https://www.ory.sh/docs/hydra/guides/client-token-expiration). It's important to note that client_credentials grants typically don't use refresh tokens or ID tokens, so you don't need to set lifespans for those. The access token lifespan is the most relevant setting for this grant type. Remember, while we're using the Ory CLI in the second step, it's interacting with the Hydra OAuth2 server to set these lifespans. The Hydra CLI itself doesn't provide a direct method to update token lifespans after client creation.