"Absolute Expiration" doesn't seem to work

SDK: auth0-spa-js@1.18.0
Chrome 95

I want to make our users re-log-in after 24 hours, regardless of activity. I don’t think what I did is working, so I made a test app/api to test and I can’t make my frontend fail properly when it expires. I may be completely misunderstanding the flow.

I have an API in Auth0 called “Expire Test API”. It has “Token Expiration (Seconds) *”: 30 and “Token Expiration For Browser Flows (Seconds) *”: 30. “Allow Skipping User Consent” is on and “Allow Offline Access” is off.

I have an application in Auth0 called “Expire Test”. It is a “Single Page Application”. “ID Token Expiration”: 60, “Rotation” is off, “Absolute Expiration” is on, “Absolute Lifetime”: 60. “Inactivity Expiration” is off. I haven’t changed any of the defaults under “Advanced”.

In the front end I make one instance of the Auth0Client via:

let auth0: Auth0Client | null;

export const getAuth0Client = async (): Promise<Auth0Client> => {
  if (!auth0) {
    auth0 = await createAuth0Client({
      useRefreshTokens: false,
      domain: "the correct domain",
      client_id: "expire app ID",
      redirect_uri: `${window.location.origin}/login_callback`,
      audience: "expire test API audience,
      cacheLocation: "localstorage",
    });
  }
  return auth0;
};

(I’ve tried useRefreshTokens as true, false, and omitted). When the user enters the app I call auth0.isAuthenticated() and if that’s false I redirect them to the login.

When I do an API call, I do

const auth0 = await getAuth0Client();
let accessToken = await auth0.getTokenSilently({
  ignoreCache: true,
});

Expectation:

  • After 60 seconds, if I refresh the page, I’m redirected to the login page.
    Actual:
  • I stay logged in without a problem

Expectation:

  • If I log in, then wait over 60 seconds, then call an API, it fails because the token is no longer valid
    Actual:
  • It works without a problem

When I call an API (aka I use getTokenSilently()) after 60 seconds, I can see in the network tab in Chrome that it calls authorize, then it calls oauth/token. How is it able to do that and how do I make it stop?

Hi @dustin-relicx

You create an auth0 session when you log in, and the silent auth checks this session. If it exists, then you get a new access token back without entering your credentials again.

Go to your tenant settings in your dashboard, click the Advanced tab, and go to Login Session Management, and update those.

John

1 Like