Using Google for the identity provider I see the shortest token expiry configurable is 3 days. Can this be reduced with an Enterprise Contract or custom, direct SAML/OIDC federation?
Emaling support@tailscale.com can reduce it as low as 24 hours.
It is generally unpleasant to use, as reauthentication notifications occur frequently, but can be done.