Extend session in custom code grant flow

I don’t really know why I’d have to extend auth0 session other than that a SDK should probably be able to do that. I don’t see an endpoint that would allow the session to be extended. The most straightforward one that seems to indicate user activity is the user profile query one. I have my own sessions, but I’d like to keep them in sync with auth0 ones, and ideally the endpoint would let me know that the session should be destroyed.

Hi @jey.and.key

I am not very sure what the question is here.

The Auth0 Session is a cookie hosted in the Auth0 tenant domain (either the name.us.auth0.com or the CNAME for that tenant). You cannot manage cookies via an API call.

Auth0 allows you to set session timeouts, either absolute or based on user activity.

John

Alright, and what would constitute user activity, them being redirected to your login page every so often? Is it okay practice to just ignore your cookie?

Hi @jey.and.key

My favorite question: what is user activity?

It is getting a new access token (via silent auth). Typically access token expirations are short compared to session expirations (because you cannot revoke an access token), so you will need several over the lifetime of a session. It is this request that counts as user activity.

You probably don’t want to ignore the Auth0 session, you should make sure it integrates well with your app session.

John

I’m struggling with the idea of silen auth. This is a server-side app, with access grant tokens. Are you expecting me to route every request or response through you, or insisting that I keep your session active although silent auth will renew the session post expiry without requiring login/pass?

Hi @jey.and.key

Keep in mind there are several levels here:

  • Your app session (typically a cookie in your app domain)
  • The Auth0 session (a cookie in the Auth0 domain)
  • The access token

The access token is a JWT signed by the Auth0 tenant. It has an expiration date. Your API should validate the access token before granting access. This validation can be done without contacting Auth0 (except the first time you do it, you need to get the signature keys, which then should be cached).

So, no, you do not route every request/response through Auth0. You just validate the access token.

When the access token expires, you can get a new one via silent authentication.

Or you can use refresh tokens.

John

Simply taking the access token from the body and pasting that on jwt.io also doesn’t produce any results.