Change access token expiration for magic link

Hi, I tried to change the access token expiration in the API settings. However, it works only for username-password login. Is there any way to change it? By default, it is 10 minutes, which is too short for us. Thank you.

1 Like

Hey guys. I’m experiecing the same issue. Is this a known issue?

Hi there @marcelo.kop and @wayne.hu !

I’m currently unable to reproduce this issue - Just to be clear, you are referring to the resulting access token of logging a user in via a magic link, correct? In my quick test using auth0-react + classic universal login + magic link the resulting access token is reflecting the “Maximum Access Token Lifetime” set in API → Access Token Settings:

Hi @tyf , thank you for the reply. I am not using the universal login to generate the magic link, instead, my frontend was calling the backend API, which calls /passwordless/start to create the magic link. I changed the Maximum Access Token Lifetime to 1 week, but the access_token returned always 360 seconds.

1 Like

Thanks for clarifying @wayne.hu !

Are you passing the audience (API Identifier) of the API in authParams in the request to /passwordless/start?

Hi @tyf, yes, I attached the code snippet that I was requesting the magic link below, thank you.

const response = await this.httpService.axiosRef.post(
      `${this.domain}/passwordless/start`,
      {
        client_id: this.clientId,
        client_secret: this.clientSecret,
        connection: 'email',
        email,
        send: 'link',
        authParams: {
          audience: this.audience,
          scope: 'openid email profile offline_access',
          protocol: 'oauth2',
          response_type: 'token',
          redirect_uri: callbackUrl ? callbackUrl : this.callbackUrl,
        },
      },
      {
        headers: {
          authorization: `Bearer ${accessToken}`,
        },
      },
    );

Thanks for clarifying!

I am seeing the same thing now, defaulting to 10 minutes :thinking: I’ll dig into this a bit deeper and share my findings.

2 Likes

Hi @tyf, any updates on this issue? Thank you.

Hey guys. I’m glad you were able to reproduce the issue. Any updates on this? Let us know if we can help even further @tyf

@tyf @wayne.hu Do you guys happen to know if this is a dev environment issue only? I want to move my app to prod and I’m afraid I might need to change the authentication provider from Auth0 to Clerk or something because of this issue.

1 Like

Hey there @wayne.hu @marcelo.kop sorry for the delayed response here! I’ve opened up a discussion internally to hopefully gain some clarity on this behavior. I will provide an update here as soon as I have more information myself.

Thanks a bunch for your patience and understanding!

Thanks @tyf. Do you know a workaround we can use? I would like to keep users logged in for maybe one week. I don’t think Magic Links have refresh_token and I’m not sure how to exchange that token for a longer one without a huge lift in the backend

Hey there @marcelo.kop !

What type of application are you using? The max access token lifetime in general is 24 hours (86400) seconds. Because you are using response_type: token you are kicking off an implicit flow which doesn’t allow for the use of refresh tokens. The implicit flow access token lifetime can be found below the “Maximum Access Token Lifetime”:

If you want to request refresh tokens, you will need change the original request to response_type: code - Upon clicking the the magic link, the user will be redirected to your application at which point you will need to use the code against the token endpoint to perform the token exchange:

Content-Type: application/json

{
  "grant_type": "authorization_code",
  "client_id": "5sFZ3Auwiu445554ddjzSqcG",
  "client_secret": "K7xqpXdFZ3NyoBMwjRF-QT0SN345sdfg56g2aTUmPzigGh",
  "code": "{authorization_code_from_redirect}",
  "redirect_uri": "https://your-app.com/callback",
  "scope": "openid profile email offline_access"
}

At this point you should get both access and refresh tokens assuming your application has the Refresh Token grant type enabled and the API registered in Auth0 (which you are using as audience) has "Allow Offline Access" toggled to on.
1 Like

Thank you @tyf.
Just want to confirm: response_type: token is kicking off an implicit flow, and response_type: code is oauth2 flow, right? And both are working for the Magic Link?

1 Like

Happy to help at @wayne.hu ! Both flows are technically part of the OAuth 2 framework, however yes response_type: token kicks off the implicit flow whereas response_type: code kicks off the authorization code flow.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.