Unfortunately as far as I can see looking at our API explorer there isn’t a way to set it using the API
https://auth0.com/docs/api/authentication?http#authorization-code-flow43
ok thank you for getting back to me.
I have seen that this can be done from the auth0 console but is the change there really changing the access_token expiry when using the Authorization Code Grant Flow?
Hey @maria.romero!
Not sure about that. Can you tell exactly what console are you referring to? Let me check it then and get back to you soon!
in the auth0 Management Api settings page…
I have changed it to last 30 days but users are still being logged out after 24 hrs
This is why I was questioning if maybe changing the access_token when using the Authorization Code Grant Flow does actually change it…
Got it. Thanks for providing that context! Let me dig into it and get back to you with news soon!
and just for extra info this is a native app client using the SDK for implementation and the issue is when calling the CredentialsManager class… logged in status doesn’t persist after 24hrs which why we think the access_token is not really changing
Thank you! Let me try establish the reasoning behind it and get back to you with an answer!
1 Like
Hello everyone,
the section we are both looking at is the Auth0 Management API which is a system API and is not meant to be consumed in browser-based flows. You need to create a custom API which will then allow you to update that setting…
Is there any new regarding the ability to keep users logged in for a week or more in a spa scenario?
Any follow up here? It’s been quite frustrating to deal with this on our end. We keep getting customer complaints for this 24h limit.
Any solution for this? Even I too searched a lot for getting the access token valid for 7 days but not able to find any solution…
+1 for this issue
auth0 is great but it’s a big pain not to be able to set a validity > 1 day
+1 same problem the bulk of my audience, use the app friday to thursday , it’s painful to come on Friday, and re-authenticate. I would like tu posh the toke expiry at 7d. I have the refresh token mechanism, but if the user does not come 24h, it is useless
Totally feel you pain however such solution is still not advisable among identity & security implementations
to know if it is good or not, already it would be necessary to know in terms of security what are the risks. Without you knowing the perimeter of the application it seems difficult to me for you to be able to answer.
I haven’t asked your opinion if it’s good or not, I know that, just if we can change the value and apparently I’m not the only one.
@konrad.sopala
because of its limits, my users have to constantly reconnect, because they are not always on the application. Honestly I’m thinking of quitting auth0 and finding another solution.
Because we have no support on this problem which is a real problem
If I am reading this thread correctly you can solve this issue by doing the following
-
First set the expiration for your access tokens within your management API configuration, as shown in the image below
-
Grab the Identifier for your API, as shown in the image below
-
Add the audience parameter to your authorize call, like so.
curl --location --request GET ‘https://auth.acc.com/authorize?response_type=code&client_id=CLIENTID&state=accauth&redirect_uri=https://oauth.pstmn.io/v1/callback&scope=openid name email nickname profile offline_access exp&audience=IDENTIFIER’
–header ‘Cookie: auth0=s%3Av1.gadzZXNzaW9ugqZoYW5kbGXEQPH8YyO23E8BqrHigb4esJVoHngFeFBD4UjpHLDbLSV7lIDZUPwMd4Y4V9OYfKf4cP1f8tbNMtw_hKJc_4mIviGmY29va2llg6dleHBpcmVz1_9itI4AYzdDeq5vcmlnaW5hbE1heEFnZc4PcxQAqHNhbWVTaXRlpG5vbmU.bAHCfJgnNlO37ANYJROjGhk%2FfB2F%2BzeYC094RvgUF%2F4; auth0_compat=s%3Av1.gadzZXNzaW9ugqZoYW5kbGXEQPH8YyO23E8BqrHigb4esJVoHngFeFBD4UjpHLDbLSV7lIDZUPwMd4Y4V9OYfKf4cP1f8tbNMtw_hKJc_4mIviGmY29va2llg6dleHBpcmVz1_9itI4AYzdDeq5vcmlnaW5hbE1heEFnZc4PcxQAqHNhbWVTaXRlpG5vbmU.bAHCfJgnNlO37ANYJROjGhk%2FfB2F%2BzeYC094RvgUF%2F4; did=s%3Av0%3Aa21934c0-3e9a-11ed-bf08-ada2147c215f.UwJ8TPFTOLKOUjtCh8aDRQZTMbdphdMI%2B5%2F9m7je9h0; did_compat=s%3Av0%3Aa21934c0-3e9a-11ed-bf08-ada2147c215f.UwJ8TPFTOLKOUjtCh8aDRQZTMbdphdMI%2B5%2F9m7je9h0’ -
Then when you make your call to the Token endpoint your JSON will have the appropriate value for your access token expiration.
{
“access_token”: “eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ild1Qng3bktHeUZRRDVPUVdZUldzMSJ9.eyJpc3MiOiJodHRwczovL2F1dGguYWNjLmNvbS8iLCJzdWIiOiJhdXRoMHw1ZmVjMTk4MC1kYWI0LTRjYWUtODY0NC05MjU5ODdkN2RlMjEiLCJhdWQiOlsiaHR0cHM6Ly9h2i92hal22c3NvY29mY29ycGNvdW4udXMuYXV0aDAuY29tL2FwaS92Mi8iLCJodHRwczovL2Fzc29jb2Zjb3JwY291bi51cy5hdXRoMC5jb20vdXNlcmluZm8iXSwiaWF0IjoxNjY0NTYwNjE1LCJleHAiOjE2NjUxNjU0MTUsImF6cCI6InBvV3FTZFgybTBDSGlXb0FvOVBPWGNycUhnUVpMZmRmIiwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCBvZmZsaW5lX2FjY2VzcyJ9.eRWcWUJlW-xuu5N8qIk6OA7fOnn90Y-qoLPLinWEEiE4v6fBL2S2gxLd6XZrt6sOlEye2KMSjZXvDeMwgdvxC5ownKFw041ZZ9Ey5quvaByW3baGQvckVZ1pJ7D1TTNsGuYgm7GOUmPPhEKZTRO7fLCZL-EHIgaYJot9pEV09Evs1UHF1HwDgosqLwPNHM1uZXcsk6YiQTP-DZRCKCS4IBtUWXaRYRakpPYgqBMF4olKj9dwbxhMsuiv9ktOQK1bCXlPrLrPjlIG_sw_af_Ygtttb6XYxddWnH8loiCxK61rP5hRPKGeA2TZCdeFLyLLchBIkWD7ziaPBsrbVYcaKA”,
“refresh_token”: “L_KBD_fbw1BeCG-P8IIUGplpa_223448T-csbaaDOK8RT”,
“id_token”: “eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6Ild1Qng3bktHeUZRRDVPUVdZUldzMSJ9.eyJodHRwOi8vbmV0Zm9ydW0vIjp7Im5ldGZvcnVtX2lkIjoiNWZlYzE5ODAtZGFiNC00Y2FlLTg2NDQtOTI1OTg3ZDdkZTIxIn0sImdpdmVuX25hbWUiOiJEYXZpZCIsImZhbWlseV9uYW1lIjoiR2FsbGVyaXp6byIsIm5pY2tuYW1lIjoiZGF2ZUBnYWxsZXJpenpvLmNvbSIsIm5hbWUiOiJEYXZpZCBHYWxsZXJpenpvIiwicGljdHVyZSI6Imh0dHBzOi8vcy5ncmF2YXRhci5jb20vYXZhdGFyL2RlNzBjN2ZlMTNjMjQ0ODUxODFmYzMwYjE4MzBjMWMyP3M9NDgwJnI9cGcmZD1odHRwcyUzQSUyRiUyRmNkbi5hdXRoMC5jb20lMkZhdmF0YXJzJTJGZGcucG5nIiwidXBkYXRlZF9hdCI62945bgadfrkjIjIwMjItMDktMzBUMTc6NTY6MDQuMDU3WiIsImVtYWlsIjoiZGF2ZUBnYWxsZXJpenpvLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJpc3MiOiJodHRwczovL2F1dGguYWNjLmNvbS8iLCJzdWIiOiJhdXRoMHw1ZmVjMTk4MC1kYWI0LTRjYWUtODY0NC05MjU5ODdkN2RlMjEiLCJhdWQiOiJwb1dxU2RYMm0wQ0hpV29BbzlQT1hjcnFIZ1FaTGZkZiIsImlhdCI6MTY2NDU2MDYxNSwiZXhwIjoxNjY1MTY1NDE1LCJzaWQiOiJXOUVxNTZQZU9XdGo5OTBpWnZmT1FhVnFRSGxKZ0steCJ9.uT-1QW0Gn_6ztCE_8i8FxQ_k0Yb5i1D0BumNcb4gbShg4HVxXKKxzyDXFoNqUcMZCnB-DkMAWC-MGviHkNosr1rNOmVM1EFLJHvL-uERvByGI3QRZQz7Pd3I-aaF6wkLkj1-gOqVQIP9orvipRgRKJuXbDZse_UVuL-zUdhAtosaOagTrbzNKQoyxvQ8Ejn5JtIQ0ii3mCVbMLUNtfWBdi7V55Ln_PpE-bv_1RO-2w0coZc6Rc19nScIFwwHs1qYxpn830B0lGkYbir2ArenvmF-q17JAdAlK5UsCy9-Q5c8pSoaWSykjq_8thRvdU_FaOziSFJPfwecU7ga5WUl1A”,
“scope”: “openid profile email offline_access”,
“expires_in”: 604800,
“token_type”: “Bearer”
}
As this topic has grown a bit large and convoluted I’ve closed it out - For future reference, if anyone has a question regarding access token expiry please open a new topic and feel free to link to this one if needed.
Thanks!