Hey, I downloaded spa react sample application. In Management of SPA application, I set expiration of ID Token to 5 seconds (only to demonstrate my problem).
I will get both access_token and id_token. Access token has expiration 86400 and id token 5s. After 5s, I call this function again, but values are taken from cache (apparantely because access_token is not expired yet?). If I use
This is a bit tricky, but expected behavior - The call is not necessarily concerned with the ID token expiration. Essentially, because the ID token is only designed to be used on the client side it can more or less be discarded once the users information has been gathered from it. It just proves successful authentication but not authorization (this is the access token). The ID token is irrelevant to the session established at the authorization server (in this case Auth0) which is checked when getAccessTokenSilently is called. So as you’ve noticed the ID token may be renewed, but not necessarily.