SDK: auth0-spa-js@1.18.0
Chrome 95
I want to make our users re-log-in after 24 hours, regardless of activity. I don’t think what I did is working, so I made a test app/api to test and I can’t make my frontend fail properly when it expires. I may be completely misunderstanding the flow.
I have an API in Auth0 called “Expire Test API”. It has “Token Expiration (Seconds) *”: 30 and “Token Expiration For Browser Flows (Seconds) *”: 30. “Allow Skipping User Consent” is on and “Allow Offline Access” is off.
I have an application in Auth0 called “Expire Test”. It is a “Single Page Application”. “ID Token Expiration”: 60, “Rotation” is off, “Absolute Expiration” is on, “Absolute Lifetime”: 60. “Inactivity Expiration” is off. I haven’t changed any of the defaults under “Advanced”.
In the front end I make one instance of the Auth0Client via:
let auth0: Auth0Client | null;
export const getAuth0Client = async (): Promise<Auth0Client> => {
if (!auth0) {
auth0 = await createAuth0Client({
useRefreshTokens: false,
domain: "the correct domain",
client_id: "expire app ID",
redirect_uri: `${window.location.origin}/login_callback`,
audience: "expire test API audience,
cacheLocation: "localstorage",
});
}
return auth0;
};
(I’ve tried useRefreshTokens
as true
, false
, and omitted). When the user enters the app I call auth0.isAuthenticated()
and if that’s false I redirect them to the login.
When I do an API call, I do
const auth0 = await getAuth0Client();
let accessToken = await auth0.getTokenSilently({
ignoreCache: true,
});
Expectation:
- After 60 seconds, if I refresh the page, I’m redirected to the login page.
Actual: - I stay logged in without a problem
Expectation:
- If I log in, then wait over 60 seconds, then call an API, it fails because the token is no longer valid
Actual: - It works without a problem
When I call an API (aka I use getTokenSilently()
) after 60 seconds, I can see in the network tab in Chrome that it calls authorize
, then it calls oauth/token
. How is it able to do that and how do I make it stop?