Auth0 Home Blog Docs

Auth Token Timeout for PWA app

jwt

#1

Hello there,

I am building a progressive web app and I have a question with regards to expiry timeouts of access tokens. I believe at the moment the maximum expiry time for browser based tokens is 24 hours?! That’s roundabout what I am seeing anyway.

In my humble opinion, this is a bit of a problem for Auth0 PWAs going forwards as it leads to an app experience where you are routinely logged out of the app yet receiving notifications and makes the app less appy and more webby :slight_smile: and is a bit jarring.

Do we think there is anything to be done, or possibly might change in future as PWAs gain prominence?

Best,
Ben


#3

Yes, the Token Expiration For Browser Flows (Seconds) has a hard limit of 86400 (24 hours). We can leverage
checkSession method for example, which allows us to acquire a new token from Auth0 for a user who is already authenticated against Auth0 for your domain. So, we are able to get a new token without having the user log in again given that the user is still authenticated against our domain. A user will remain authenticated against our domain until the maximum lifetime is reached, configured through SSO Cookie Timeout setting in the advanced tenant settings, or the maximum inactivity time out is reached, currently set to 3 days and non-configurable. I know there’s planned work on giving more control over the authentication session, but I don’t have a timeline for this.


#4

Thanks for letting me know the current status.

Appreciated