Problem statement
All tenant members received an email about changes in the maximum expiration time for login transactions. Starting October 17, 2023, Auth0 will enforce a maximum lifetime of 1 hour for these flows. Transactions lasting longer than 1 hour to complete will expire.
Cause
The default settings was 3 days and has been reduced to one hour.
Solution
Users should be affected minimally since the email refers exclusively to the time the login transaction takes to complete as a whole. For example, a user can initiate a login transaction and can wait up to an hour with the login dialog open before actually completing login. Previously the login page could be left open for up to 3 days. This is not to be confused with session timeouts that are configurable on the Auth0 Dashboard because these activate once a user has logged in so it is completely separate and unrelated.
The change relates to the login transaction only. Generally, users will load the login page and log in. Once the change comes into effect, if they load the login page and wait for over an hour then attempt to login in they will either get the server error as per the email example or the default login route will activate and they will have to start a new login transaction.
Note that if an application does not have a default login route configured, the tenant level default login route will be used instead. If neither is configured, users will see an Auth0 error page.
Related References