• Refresh Token
• Session Management

The Absolute Lifetime is for the refresh token (See Configure Refresh Token Expiration ). If this setting is disabled, the absolute lifetime will be indefinite, as stated in the document.

The default Access Token expiration is 24 hours, and ID Token expiration is 10 hours.  Refer to these documents for more information:

• Update Access Token Lifetime
• Update ID Token Lifetime

The following are some areas of consideration for session and token lifetimes and where to find them in tenant and application settings.

Dashboard > Applications > APIs >  API setting

• This is the expiry of the Access Token.
• Once this time has elapsed and the user performs any activity on the page, the silent authentication process is triggered, and the new Access Token is issued.
• The allowed maximum expiration value is 2592000 in seconds (30 days) for access tokens issued.

Dashboard > Applications > Applications > Applications setting

• Configure Refresh Token Expiration

• This interval helps to avoid concurrency issues when exchanging the rotating Refresh Token multiple times within a given timeframe. During the leeway window, the breach detection features do not apply, and a new rotating Refresh Token is issued. Only the previous token can be reused; if the second-to-last one is exchanged, breach detection will be triggered.

• This is the expiry of the Refresh Token which is used to get a new Access Token.
• Once this time has elapsed and the user performs any activity on the page, a Refresh Token is issued.
• This will issue a new Access Token.

Dashboard > Settings (tenant setting) > Advanced > Log In Session Management > Inactivity timeout