Authorization Code with PKCE flow for SPA with Refresh Token and idle timeout

Hello,
I am trying to setup Auth0 for my SPA using @auth0/auth0-vue npm package. The business use case says that if the user is idle/inactive for 15 minutes post login, he should be logged out of the application. I also intend to use a rotating refresh token using which I can request for a new access token every 2 minutes. I tried many possible combination of settings provided by Auth0 but still failed to achieve the desired behaviour. Please find attached, the screenshot of my auth0 configuration for reference.

Screenshot from 2024-08-02 15-34-02

1 Like

Kindly look into the above mentioned issue and provide assistance ASAP as this is quite critical for my team.

Hi there @ritik.raj welcome to the community!

Can you help us understand which settings you’ve tried so far? You can set an inactivity timeout in session lifetime settings, but you may want to call logout from your application as well. The following FAQ could also prove useful:

Which part of the desired behavior are you referring to? Are you unable to get refresh tokens working? Please see above for logging users out of Auth0.

1 Like

I am able to retrieve the refresh token from Auth0, but I am experiencing issues with the inactivity timeout behavior.

Issue:

  • Inactivity Timeout: Set to 3 minutes
  • Absolute Timeout: Set to 6 minutes

Scenario:

  1. The user logs in and actively uses the application for 1 minute.
  2. The user then goes idle.

Expected Behavior:

  • The user should be logged out 3 minutes after going idle, which would be 4 minutes after logging in.

Actual Behavior:

  • The user is being logged out 2 minutes after going idle, which is 3 minutes after logging in.

This indicates that the inactivity timeout is starting from the login time, not from the time the user goes inactive.

Also, you have mentioned in your reply that I may have to call the logout manually. Could you explain it further as to why it is required and under what conditions I have to do that.

Please find below the settings of my Auth0

Tenant Settings:
idle_session_lifetime:0.25
session_lifetime: 168
“session_cookie”: {
“mode”: “non-persistent”
},

SPA Settings
“refresh_token”: {
“expiration_type”: “expiring”,
“leeway”: 900,
“token_lifetime”: 3600,
“idle_token_lifetime”: 900,
“infinite_token_lifetime”: false,
“infinite_idle_token_lifetime”: false,
“rotation_type”: “rotating”
},

“jwt_configuration”: {
“alg”: “RS256”,
“lifetime_in_seconds”: 900,
“secret_encoded”: false
},

“grant_types”: [
“implicit”,
“authorization_code”,
“refresh_token”
]

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.