We have a React SPA in the finance field. Our requirements state that after 10 minutes of inactivity, the user must be logged out and their screen be cleared of all data (i.e. redirected to logout). This should happen automatically. Not as a consequence of calling getTokenSilently (which extends the sessions / refresh token)
I know that I can set the inactivity Lifetime of a refresh token but I have no way of checking if the user has breached this or not without calling getTokenSilently - which in turn renews the inactivity time.
In the client, I would like to periodically check if the inactivity lifetime of the refresh token is still valid (inactivity timeout has not been reached). If the session has be reached, then I would redirect to perform an action.
What I cannot seem to figure out is how to check the session in such a way that will not extend it. Is there such an api?
I haven’t seen a way to do this directly either, though honestly Auth0 probably wouldn’t want to get barraged with a bunch of polling to check if the refresh token is still valid. Right now it is just when you need an access token (like calling an API) which then it checks the token expiration and only if that is expired does it try to get a new one. So Auth0 won’t get hit all that often in that case. It’s also good to keep in mind that the inactivity timeout is per refresh token, not per user (so separate timers on diff browsers, diff machines, etc).
So I think the thing to do is to keep track of this kind of inactivity in your app. For any action that you know would trigger an access token request, you can update a datetime that you perhaps store in localstorage (to work across tabs in the same browser, to mimic how a session cookie behaves). Then do a setInterval to check against that value and redirect to logout if it passes the length of time.
You may need to buffer things slightly depending on the access token expiration (though usually you want it pretty short anyway), but I think it should do what you want. The worst that can happen is the refresh token expires earlier than you thought and it redirects during an API call instead of on its own. If you’re able to hook into the events of your own app property, it doesn’t seem likely for the inverse to happen. Any of the tabs requesting an api should update the localstorage value and extend the time for all tabs. If you used Postman outside the app, that’d be a different refresh token, so it wouldn’t affect the app anyway.
This way you also can pop open a warning when it it is about expire. If they decide to extend the session, you can manually do a token refresh (and update the localstorage value), which you know will extend the refresh token inactivity period.