Problem statement
Wer want to force some authorization flows to use the Browser Flows time available in APIs so that the token will expire sooner than the most secure flows.
Cause
The Token Expiration For Browser Flows (Seconds) field refers to access tokens issued for the API via implicit and hybrid flows and does not cover all flows initiated from browsers. For example, the PKCE flow (used in auth0-js-spa SDK) can be initiated from the browser, but it refers to the Token Expiration, not the Token Expiration For Browser Flows value.
Solution
Use one of these options:
- Implicit flow
- Hybrid flow
- Authorization code without PKCE from a SPA