ASP.NET cookie not re-validated / claims not updated

I’m working on integrating Auth0 into an ASP.NET / react application using cookie auth via the auth0-aspnetcore-authentication package.

My issue is that the user auth is never re-validated e.g.

  • If their claims are updated in auth0, they are not updated in my application
  • If the user resets their password, the user is not logged out of my application
  • If the user is deleted, the user is not logged out of my application

I would expect that the user session would periodically be re-validated and claims be updated, it that not the case? If not, how can I manually trigger the session/claims to update without logging the user out periodically?

I see support for backchannel logout, but this is an enterprise feature and I think a periodical validation/refresh would be acceptable. I also see an “Id Token Expiration” setting against the application, but in my test configuring this to be 60s doesn’t seem to do anything.