For context: I am using auth0 in a vue app with
"@auth0/auth0-spa-js": "^1.12.0" with local storage cache and rotating refresh tokens. The refresh tokens are configured to be valid for a week and the access tokens for a day.
In the scenario below I made sure to log out, clear cookies and local storage, and log in anew, starting a new session with fresh tokens which should be valid for the times mentioned above.
When I put the computer to sleep without closing the tab, wake the computer up a few minutes later, the first call to
getTokenSilently throws the
login_required error instead of returning the cached access token which should still be valid, or getting a new access token (and rotating the refresh token) using the cached refresh token (which also should still be valid).
When I keep the tab open and the computer running, the access tokens are successfully exchanged when calling
getTokenSilently, there’s no exception.
getTokenSilently behave different when I wake the computer up compared to keeping it running?
Enabling “Allow Offline Access” in the API seems to resolve the issue. I’d like to better understand what the “Allow Offline Access” switch does and why I need to enable it.
auth0-spa-js always requests the
offline_access scope when using refresh tokens.
The API documentation states:
Allow Offline Access: When this is enabled, Auth0 will allow applications to ask for Refresh Tokens for your API.
This sentence sounds to me as if actually this would always be required when using rotating refresh tokens. Or does the automatic token rotation using
getTokenSilently not count as such an “ask for Refresh Tokens”? And why is the switch called “Allow Offline Access”, but the switch description doesn’t seem to reference network conditions?
Then there’s this section on token best practises:
If you limit offline access to your API, a safeguard configured via the Allow Offline Access switch on the API Settings, Auth0 will not return a Refresh Token for the API (even if you include the offline_access scope in your request).
Just as a reminder: auth0-spa adds this scope automatically. And tokens are anyway returned to the client and replaced regularly on the client’s demand for a new access token. Which leads me to ask: Does the “Allow Offline Access” switch have additional security implications?
I’m very thankful for any insight on how
getTokenSilently and the API “Allow Offline Access” switch work!