Hey there, my company is making the switch to Auth0 and our main goal is ensuring that our users don’t have to log in if they are active during a 14 day period. If they continue to make calls and refresh their tokens, they should never be logged out. If they try to refresh a token outside of the 14 days they get logged out.
I believe this could be achieved by turning off “Refresh Token Rotation” and “Absolute Expiration”, but leaving on “Inactivity Expiration” and setting to 1209600 seconds.
My concern is that due to the tenant session “Require log in after” setting, my users will be logged out after 30 days regardless of the refresh token settings and forced to log back in.
To clarify the sessions, once your refresh token is expired you use the local or server side session to get a new refresh token. If you attempt to do this refresh and the session is expired, the user is logged out correct?
So for a standard plan, any user will be logged out after 30 days + refresh token expiration, correct?
In theory, if you set the refresh token to something really long like 90 days, they would be logged in for 90 days, the refresh would expire, and the session is already expired, they would be signed out. Correct?
The existing refresh token is used to request a new refresh token (and access token).
If the absolute lifetime for the family of refresh tokens is expired the user is forced to authenticate.
From the docs:
Absolute Lifetime : Set a refresh token or refresh token family lifetime after which the user must re-authenticate before being issued a new access token.
I will have to check on this.
I think this goes back to the previous question, whether or not the Login Session settings supersede the token lifetimes and force logout. I’ll ask the team and get back to you.
Here is what I gathered from speaking to the team:
The session settings and the refresh tokens are separate. The session settings ( Require log in after , Inactivity timeout) are specifically for the session cookie that is set after authentication. If you are using refresh token rotation, those limits will define when a user will need to re-authenticate.
If I’m using refresh token rotation, and my session is expired, but my refresh token is not expired, will I still be authenticated and be able to get a new refresh and access token?
@dan.woda - I just had a scenario where a test user was logged out after ~3 days of inactivity after a getAccessTokenSilently() call failed with “Login required”. I see this function is supposed to use refresh tokens, but I don’t see a refresh token being used in the token request.
We’re using the React SDK, and on 401 or 403 from an API call we run this function.
In the response I see we are only passed an access_token and an id_token. Since I have refresh token rotation turned on, shouldn’t a refresh token be returned too?
Have you configured your app to use refresh tokens? You need to tell the SDK to request one. From our docs:
The getAccessTokenSilently() method can renew the access and ID token for you using refresh tokens. To get a refresh token when a user logs in, pass useRefreshTokens={true} as a prop to Auth0Provider .
