we are currently encountering an issue with our Auth0 integration that has quite a high criticality for us.
Some background:
We are a small startup building an Angular-based SPA that is provided both as a web-page and also wrapped in a Xamarin Wrapper as native Android/IOS app. We aim to provide the users with a very similar experience no matter if they use the native smartphone app or a browser on whatever platform. We are currently using the free plan.
The issue we are facing is that users are being logged out of the app and this is causing massive acceptance problems and annoyance and we are quickly losing users because of this. Because there is no session expiration logging in Auth0 and we have ramped up all the timeouts, expiration times, etc. of our tenants to the maximum, I can only deduct that most users get logged out because of the 3 days of inactivy timeout. See here: Sessions
The session inactivity timeout essentially means that if a user does not open our app for 3 days, he or she will have to do a login afterwards, which is very annoying for the users. Most of them are now accustomed to mobile apps and also web pages like facebook giving them virtually infinite session time and there is a very very low tolerance treshold for repeated logins after a few days for non-banking apps.
Is there any technical solution anyone can think of, that allows us to work around the 3 day inactivity timeout? The only technically sound solution I see is upgrading to the enterprise plan, which we cannot afford as a startup which is currently in the starting phase with zero revenue.
I was able to find out from our team @schmaga that we are currently working on solutions to securely support refresh tokens in SPAs. We expect to be able to share more details in the near future!
That is great news, can’t wait to hear from you. If I can beta-test some new feature for you, just let me know.
But will it work around the problem that a user keeps the app closed for more than 3 days and afterwards his session is timed-out? Will it be possible to get a new session using the refresh_token in this situation?
@James.Morrison Thanks for the info, that is good to know. Any update on the timelime just yet? Even a rough estimate helps.
I would like to avoid having to build any hacky or insecure workarounds in the meantime, but we have to do something or otherwise we cannot proceed with our own project milestones.