Hi,
We have a problem with absolute expiration which does not always work like we expect:
Set up:
absolute expiration set to 10 minutes
access token expiration set to 5 minutes
refresh token rotation si ON
My understanding on this setup was that the latest user would be logged out (logged out meaning in this case that he would not have valid token to make a call and there is no way to refresh it) is 15 minutes after login, in case refresh token along with access token is refreshed a just before absolute expiration.
What I can see happening:
- minute 0: login with user
- minute 6: new refresh and access token returned
- minute 12: try to refresh token - should log out but access token and new refresh token is actually returned
- minute 17 - try to refresh token - should log out but access token and new refresh token is actually returned
- minute 22: - try to refresh token - user logged out 12 minutes after absolute expiration using extra 2 refresh token rotations.
In this scenario it more than doubled the period of user login session. This is not happening all the time, most of the times it works as expected. I have logs auth0 for every event included in the steps if needed.
Thank you.