Inactivity Expiration with Refresh Token

Problem Statement

We want the users to receive the prompt for credentials after 15 minutes of inactivity in their application and the following:

  • Refresh token will stay alive for 9 hours
  • Access token will be valid for 5 minutes
  • In case of 20 minutes of inactivity, the user will be forced to log in again

Below is our current configuration:

  • Refresh token rotation enabled with inactivity expiration set to 20min
  • Nonperssistant session cookie enabled
  • Access token is set to 15min
  • Session lifetimes:
    • absolute: 7 days
    • idle: 9 hours.

However, Silent auth after 15 minutes is not giving “login required” as we expected.

Cause

Since the session lifetime was set to 9 hours, silent authentication was successful because the session cookie was still present, regardless of the expired refresh token.

Solution

  • Refresh token absolute lifetime set to 9 hours
  • Refresh token inactivity lifetime to 20 minutes
  • Access Token lifetime on the API is 5 minutes
  • Session Inactivity lifetime: 20min.

Please be noted that when a user performs a new standard login, it resets the login session. While the user is logged in, the existing session lifetime limits will be extended. And the new settings will not take effect until existing session ends and requests the user to log in again.