How to keep the session alive even without user activity for a long time

Problem Statement

How to keep the session alive even without user activity for a long time?

Solution

The Absolute Lifetime is for the refresh token (Configure Refresh Token Expiration). If you disable this setting, the absolute lifetime will be indefinite, as stated in the document.

The default Access Token expiration is 24 hours (Update Access Token Lifetime)

The ID Token expiration is 10 hours (Update ID Token Lifetime).

Here are the places to check token expiration:

  1. Dashboard → Applications → APIs → API setting
  • Token Settings → Token Expiration /Token Expiration For Browser Flows [for the testing purpose set shorter interval like 60 seconds]
    – This is the expiry of the Access Token**
    – Once this time is elapsed, and the user performs any activity on the page, the silent authentication process is triggered and the new Access Token is issued.
    – The allowed maximum expiration value is 2592000 (in seconds) for access tokens issued.
  1. Dashboard → Applications → Applications → Applications setting
  • Refresh token: A Refresh Token is a special kind of token used to obtain a renewed access token Configure Refresh Token Expiration.
    – Refresh Token Rotation → Rotation: enable this
    – This interval helps to avoid concurrency issues when exchanging the rotating Refresh Token multiple times within a given timeframe. During the leeway window, the breach detection features don’t apply and a new rotating Refresh Token is issued. Only the previous token can be reused; if the second-to-last one is exchanged, breach detection will be triggered.
  • Refresh Token Expiration → Absolute /Inactivity Lifetime: [for testing purpose set shorter interval like 80/ 20 seconds respectively]
    – This is the expiry of the Refresh Token, which is used to get a new Access Token
    – Once this time is elapsed, and the user performs any activity on the page, a Refresh Token is issued
    – This will issue a new Access Token
  1. Dashboard → Settings (tenant setting) → Advanced → Log In Session Management → Inactivity timeout
  • Tenant Session Management applies to the session (as represented by a cookie in the Auth0 tenant domain). If the Auth0 session (tenant inactivity in tenant settings) is expired, the user must log back in. The Refresh Token will not allow you to establish a new Auth0 session. The user will be forced to re-authenticate after 100 days of inactivity, or after 365 days even with activity, or fewer days depending on your tenant settings.
  • It is described in detail here: Session Lifetime Limits