The access token lifetime determines the time period during which Avaya Workplace Client does not prompt the user to re-authenticate. Refresh tokens are used to refresh the access token lifetime. You can use the Keycloak service to configure the lifetime for access and refresh tokens. The main settings are the following:

• Access Token Lifespan: Sets the expiry time for access tokens.

• SSO Session Idle: Sets the expiry time for refresh tokens. If the refresh token is not used by the expiry time, then the Avaya Workplace Client user needs to log in again to get new access and refresh tokens.

• SSO Session Max: Sets the overall maximum time period for refresh tokens. During this time, refresh tokens can be used to obtain new access tokens.

The choice of a lifespan for tokens is a trade-off between security and user experience impact:

• If the token lifespan is too long, it increases the opportunity for a malicious actor to capture the tokens.

• If the token lifespan is too short, Avaya Workplace Client frequently prompts users to log in again.

For more information and recommendations, see Access and refresh token expiry times.