Auth0 Single Page App SDK getTokenSilently endless lifetime?

Hi All!

We are using the Auth0 Single Page App SDK on my project and we’re trying to cover all session related edge cases. For example: updating the quantity of a product in your cart after your ID token has expired. Note that we are sending over the ID token to our Magento instance and NOT the access token.

We are calling getTokenSilently before our call to make sure a new token is fetched when our current one has expired. We know there is still an ITP browser related issue we need to take into account but lets ignore that for now.

My latest test:

  1. Wait 24 hours in order for my acces token to expire, in the meanwhile the ID token also expired as it only has a lifetime of 1 hour.
  2. Increase the quantity while still on the same page (no page refresh happened in those 24 hours)
  3. getTokenSilently triggered and returned a new access token.

I did not expect this token call to still be successful. I’ve found following block in the docs:

Get a new Access Token silently using either a hidden iframe and prompt=none , or by using a rotating Refresh Token. Refresh Tokens are used when useRefreshTokens is set to true when configuring the SDK. - Auth0 Single Page App SDK

  1. Does this mean that I can keep on calling getTokenSilently until the end of time and I will keep on getting a new access token and ID token? In other words, is getTokenSilently using an iframe the same using refresh tokens?
  2. Will the login_required ever been thrown?

Thanks in advance!

Hey there @druwe.jeroen welcome to the community!

Both methods are similar in their outcome, however using refresh tokens is generally preferred for various reasons (browser privacy controls). Both methods will be successful only if there is a valid session at the authorization server.

If the user’s Auth0 session has expired for example, then calling getTokenSilently will fail and login_required will be returned.

First of all, thanks for taking the time to provide an answer!

Yea, I would also like to move over to refresh token but I am not managing that part of the setup and they can only move over to refresh tokens in Q1 of 2024 as the first need to investigate the impact on the mobile app apparently.

As I don’t have access to the Auth0 management interface I can only assume you mean this Inactivity timeout & Require log in after at Configure Session Lifetime Settings ?