It seems that token renewal works, but as I understand it how this works is, a token will be renewed if a user is active during the session that the token expires, e. g.:
User opens site
Token valid for 1 more hour
User is on site for the full hour and longer
Token gets renewed
But what happens if the user leaves already after 30 minutes? Now the user will be marked as logged out when he’s back several hours later. The problem I have with this is that I do not want my users to be logged out yet. Think of any random site such as Product Hunt, you might not be on there every 2 hours such as on Facebook, you might come back every 1-3 weeks. Do sites like these simply increase their token expiry to be very high so it looks as if the token didn’t expire?
I believe token can be set to have a longer token expiry but is this how you should solve my problem or is there another renew mechanism you should use?
Also, another question I have about this based on the SPA demo … Let’s say the user hasn’t been on the site for over 2 hours, is it OK to simply renew the token, or how does the user get logged in again? Do they manually need to click on a login button?
Oh and if increasing the duration is fine, then I guess this needs to be done for the JWT (clients settings) and for the auth token (API settings)?
You are using Implicit grant flow for authorization. As far as I know, when using Implicit grant flow, it is NOT possible to renew tokens after few weeks absence of user on page. I will try to cover that bellow but first the last questions, because they are easier
You are right, lifetime of JWT (or id_token) can be set in clients settings and lifetime of access_token can be set in API settings.
Is it correct to simply renew the token after 2 hours of user absence?.. It depends on level of security you want. In some cases it is absolutely correct, in some not. Bank applications often log out the user after 20 minutes of inactivity (or immediately after user leaves the page), on the other side e.g. eshops can have longer lifetimes for tokens.
How does the user get logged in again (after expiration of tokens)? Do they manually need to click on a login button?.. Again, it depends on what you want:
you can redirect user to login page
you can renew the tokens (even if they have already expired) while user does not notice anything… The only option how to achieve this, when using Implicit grant flow, is to use so called Silent authentication. Unfortunately, this has some time limitations (see bellow). (In the tutorial - the link you posted in your question, the renewal of tokens is performed by checkSessionmethod which in fact only performs silent authentication inside an iframe.)
So, what are the time limitations on token renewals within Implicit grant flow?
the lifetime of access_token obtained by Implicit grant flow can be set to 1 day at most, see here
the silent authentication mechanism depends on SSO session cookie expiration. Currently silent authentication will not renew the tokens after 3 days of user inactivity. Even if user would be active every day, the silent authentication allows tokens renewal for 30 days (without bothering user with login) at most, see here
If you want longer user sessions - e.g. user can be absent one week without new login required - you will have to consider switching from Implicit grant flow to e.g. Authorization code grant flow (in this flow, using refresh_token, you have no time limitations for token renewals)
I talked to Ryan Chenkie, ex community advocate of auth0. In summary my learnings are:
Increase your expiry time (which decreases security). I think best idea here is to be reasonable with how long one token is valid. I’m setting it to two months expiry so the users aren’t logged out too often. For sites with frequent visitors a much lower expiry should be fine I think this is on a case by case basis
It’s best practice to only renew a token right when it expires, though theoretically there’s nothing stopping you from renewing the token ASAP as soon as the user visits your website (and their token hasn’t expired yet)
