It seems that every auth session lifetime, and issuance of access tokens is related to the values set for the Login Session Management in the tenant. If a user is authenticated and has a login session they can get access and id tokens.
Given 3 separate SPA applications in the same tenant, is there a way to have different auth session TTLs for each application? We can adjust the TTL of the ID and Refresh Tokens in the Application, and the TTL of the Access token in the API, but it seems like the TTL of the login session is what ultimately matters.
Is this accurate and/or is there an approach to have different applications with different session lengths?
Individual applications can use the max_age parameter in the authorization request if they have specific requirements.
E.g. you can have a tenant-wide session length of 3 days but a single application with stricter requirements specifying max_age=28800 (8 hours). If the last authentication happened before 8 hours, Auth0 will force the user to re-authenticate.
Applications should check the auth_time of the ID token to ensure that the received token corresponds to the requested max_age (and no one altered the request). Most SDKs/OIDc middlewares should check that for you.