I would like to force users to log out unless they are active within 15 min. I’ve made adjustments to Log In Session Management in Tenants settings and it worked perfectly fine while I was using opaque access token.
But I noticed the access token I gained remains valid long after 15 min. I’ve learned that currently there is no way to change the expiration time for opaque token so I switched to JWT by providing audience param to Auth0Provider and configure its expiration time in APIs to 900 sec.
However, after that Inactivity timeout stops working and I get "401: Unauthorized" error because the token expires and the app failed to request reauthefication.
Any ideas why and how I could fix it?
If I’m understanding you, this sounds like it is working as expected. If the user did not make any requests to the Auth0 server, their session would have ended at the same time the Access token expired. So the API rejects the token as it’s expired, and the user cannot fetch a new token as their session is expired too, so they would need to re-authenticate to get a new session, before they could get a new access token.
If you want to keep the user’s session alive whilst they are using your app, you will need to implement checkSession / getAccessTokenSilently calls (the name can vary between SDKs) to fetch a new token and thus refresh the inactivity timer on their Auth0 session. When you would make these calls would depend on your use case and security needs of your app.
Please see here for some more info on using ‘silent authentication’ to get new tokens without bothering the end user and examples for a couple of our SDKs:
The behaviour I’m looking for is that the user is automatically logged out from the app after 15 idle minutes. However, after that time, the client requests API which is wrong because the session should be expired by that time and the user should be forwarded to the login page.
Also can you please explain what are the prerequisites to make Inactivity timeout work? Because it’s acting really strange and it seems to be off even when I revert the change with the audience.
Hi @sabeslamidze - if a user’s Auth0 session expires, they will be logged out of Auth0 and need to re-authenticate before being able to request any new access tokens - but your application likely has its own session which also needs to be terminated - please see here for more information on the different layers of sessions: Logout
So for example, you could make a checkSession / GetAccessTokenSilently (depending on what SDK you are using) call when the user attempts to carry out a sensitive operation / navigation, and if you see a “login required” error returned, delete the user’s application session and redirect them to your login page / the authorize endpoint.
On top of this, Access tokens are valid until they expire irrespective of sessions, so ideally your access token expiration would be the same as, if not lower than your inactivity timeout setting to avoid issued tokens being valid beyond the session’s timeout.
If the user still has a valid session, checkSession / GetAccessTokenSilently will return a new session and refresh their inactivity timeout.