I’m using 8.10.1 Auth0.js library; calling the checkSession (Auth0.js v9 Reference) to refresh ID token when it expires. I was under impression that when SSO session expires this call will return login_required but it never happens. Even when I set SSO session to 1 minute and ID token to 30 second I am able to get new tokens indefinitely and I never receive login_required.
Am I doing something wrong?
I could not reproduce the situation you describe and the response I obtained after session expired was login_required as expected.
Here’s the steps I did:
- Set the SSO Cookie Timeout to one minute.
- Opened a browser window in incognito in order to ensure no previous session would be reused.
- Performed the authentication flow to establish a session.
- Immediately performed a
checkSession call to ensure it worked when the session is available.
- Waited for the session to expire; I likely waited around one minute and half to two minutes.
- Performed a
checkSession call (which failed with login_required).
Have in mind that the lifetime of the issued ID token is not relevant for this situation.