Do users have to reauthenticate every 5 minutes if the expiration for a token is 5 minutes?

I tried to change the expiration time to 1 minute in the auth0 console. After this, I need to re-authenticate. I assumed wrongly that the renewal of a token would have been abstracted and done in the background.

I read somewhere that the expiration time should be about 5 minutes after the token has been issued. That would be impractical to ask users to reauthenticate every 5 minutes. Furthermore the default on auth0 is 10 hours, so I’m wondering if auth0 works by auto logging out users after 10 hours (which I find quite odd).

  • Is that normal ?
  • Is auth0 making assumptions that we use extended periods of time before expirity ?
  • Isn’t the refresh token just for that or is it not applicable on the client ?
  • Should I use an extended period before expirity or should I go low and renew the token ?

The token expiration can be set to the time you desire. Auth0 does not “log out” a user at the time, but simply sets the JWT expiration to the time configured. If we use the Auth0 default of 36000 seconds:

  1. The user will log in. The issued JWT id_token expiration will be set to now + 10 hours.
  2. It is up to your client to renew the token when it expires. As you mention, refresh tokens are the way to do this in mobile/regular web apps.
  3. Ideally you should use a low expiration time, then renew. This minimizes the window for a malicious user to use a stolen JWT (you can revoke refresh tokens, which will then prevent your application from obtaining new id_tokens).