I tried to change the expiration time to 1 minute in the auth0 console. After this, I need to re-authenticate. I assumed wrongly that the renewal of a token would have been abstracted and done in the background.
I read somewhere that the expiration time should be about 5 minutes after the token has been issued. That would be impractical to ask users to reauthenticate every 5 minutes. Furthermore the default on auth0 is 10 hours, so I’m wondering if auth0 works by auto logging out users after 10 hours (which I find quite odd).
- Is that normal ?
- Is auth0 making assumptions that we use extended periods of time before expirity ?
- Isn’t the refresh token just for that or is it not applicable on the client ?
- Should I use an extended period before expirity or should I go low and renew the token ?