Feb 12 Auth0 Community Ask Me Anything: Auth0 Sessions and Refresh Tokens

Community Community AMA Series
1

We’re excited to invite you to our next interactive Auth0 Community Ask Me Anything (AMA) session on Wednesday, February 12, 2025! This is your chance to learn how to optimize your use of Auth0 sessions, leverage refresh tokens, and effectively use the Management API to enhance security and streamline your authentication processes.

How It Works
Starting January 28 through February 11, 2025 Auth0 developers, customers, and community members can submit their questions directly in the Auth0 Community. Just hit the “Reply” button on this dedicated thread! Then, on February 12, from 8 am to 10 am PST, our product experts will provide detailed, written answers to all questions submitted during this 2-week period. As a bonus, participants will earn points and a special badge!

What You’ll Learn:

  • Best practices for managing Auth0 sessions and leveraging the Management API.
  • How to properly use and rotate Refresh Tokens, including their lifetimes and relationship with session durations.
  • Advanced features like Continuous Session Protection and how to optimize your implementation.
  • Key differences between Refresh Tokens and Sessions, and how they work together to maintain secure and seamless user authentication experiences.

Ask Questions here by hitting the reply button below. Be sure to submit your questions from today, January 28, to February 12, 2025.

Featured Expert

420×420 18.4 KB

Nelson Matias is a Group Product Manager leading the Auth0 Sessions and Refresh Tokens team. Over the last 6 years at Okta/Auth0, I’ve had the privilege of working in various roles, including Solution Architect, Principal TAM, and leadership positions. With more than 10 years of experience in Identity and Access Management, I began my career over 20 years ago as a Java Developer, and I’ve continued to grow my expertise in this space.

2 Likes
2

Since Auth0 has released ACUL SDK in EA.

I wanted to know if I implement @auth0/auth0-acul-js today in my current application (Example: React app with Auth0 React SDK). Do I need to use @auth0/auth0-acul-js with @auth0/auth0-react SDK or just using @auth0/auth0-acul-js I would be able to check isAutheticated and getTokenSilently()?

Also, the documentation of @auth0/auth0-acul-js is not very clear on token management?

1 Like
4

If we consider that the use of confidential clients should be preferred over public ones, and also that tokens should be hidden from single-page and mobile applications (prevent them from being exposed to the code of malicious dependencies or stolen from device storage), there is another session to put in the picture: the OAuth2 client session in which the tokens are stored.

Is it planned to include documentation about why the OAuth2 BFF pattern should be preferred to using public clients (like most Auth0 SDKs are doing)? And Also on:

  • How can the relative lifespans of the refresh token, the authorization server session, and the Oauth2 clients session (confidential clients running on the backend) be tuned?
  • When and how to “refresh” refresh tokens / keep sessions alive, and what are the consequences of letting each expire?
  • Can a Back-Channel Logut event be fired when a refresh token or a user session on the authorization server expire?
5

Hi

I have some questions about the interplay between SSO Sessions and Access tokens Rotating Refresh Tokens.

The main goal is to allow different SPA applications to share the SSO session, meaning

  • Inital Login of an application would start an Auth0 SSO session.
  • Subsequent logins of different applications would happen autiomatically assuming the SSO session is alive.
  • Refresh tokens issued would be bound to the SSO session, and would only be usable if the underlying SSO session was active.
  • Successfully refreshing a token would result in the SSO session being extended.
  • Logging off from the Auth0 SS session would result in all refresh tokens associates with the session being invalidated.

It may be easier to consider an example:

Auth0 runs on login.operator.com
SPA1 on www.operator.com
SPA2 on www.other-domain.com

The scenario is, assuming

  • we require sessions to timeout after 30 minutes of inactivity

  • ATs live for 5 mins

  • Both SPAs monitor activity and will only refresh AT if there has been activity within 30min

  • Login on SPA1

  • Interact with SPA1 for 45 mins

  • Open SPA2 in new tab - should be logged in via a silent bounce off Auth0

  • Interact with SPA2 continually, leaving SPA1 idle for 45 mins

  • Go to SPA1 tab, there should be an active AT

  • Leave both apps idle for 45 mins

  • Both ATs should have expired due to inactivity

Also if SPA1 logs out explicitly (using a redirect to Auth0), then the next token refresh of SPA2 would fail.

Thanks,