We use Lock v11 with Implicit Flow in our SPA. We have JWT expiration set to 15 minutes in our Application in Auth0 and we use Silent Authentication in the web app to get a new token as long as the user continues working in the browser.
That flow is working fine but our issue is with the userinfo endpoint. When a user has logged out from our application and the last issued token has expired (within 15 minutes) the userinfo endpoint still gives a result containing the user’s name and email among other things. Basically we recorded the userinfo request that was done by Lock after the user was authenticated and even several hours after the last issued token has expired we are able to use the recorded request to call userinfo again and get a response with user details.
This is a security issue for us since it is possible to get basic user info long after the user chose to logout and no new token was issued.
Question: Is there any setting that governs the expiration of the bearer token sent to userinfo? Should it not have the same expiration as the application JWT expiration setting? Would appreciate some clarification on this matter.
Thanks for that info @dan.woda! Was not able to find it in the docs before. On that note, it seems that our recorded userinfo request was still working after 2 hours but not after 24 hours, indicating it is not Implicit flow/grant even though we have a SPA. I noticed that under Application settings > Advanced > Grant Types we had all the grants checked so I unchecked all except “Implicit”. In addition to that the Application type was not set in our app so I set it to Single Page Application. Will that make the token in the userinfo endpoint have the 2 hours expiration? I could not find any flow/grant type settings in the Lock v11 docs.
Is there a reason that ther userinfo endpoint access token lifetime is not configurable? Even if it is meant for authentication only and not for accessing our API, the data the userinfo endpoint returns could still be considered sensitive.
That should do it. You can get the token and look at the expiration time. SPAs currently support both the implicit flow and auth code + pkce flow. Those would be the two options and which one you are using could depend on if you are using auth0-spa-js or auth0.js
Are you referring to the token sent in the Authorization request header in the userinfo request?
If that one, how do I check the expiration? The jwt.io site can’t decode it and the userinfo endpoint response only contain this:
The userinfo token was still valid for 24 hours even after I made the changes in the app settings. We are using embedded login with Lock v11.17.2 and not auth0.js. Could that affect it somehow? We needed both Implicit and Password grant in the app Grant Types settings btw for our E2E tests to work.