I’m beating a somewhat dead horse, but… We would like to extend the session and token timeout/expiration of the 30/3 days rule (or at the very least bump up the inactivity timeout from 3 days to a total of 30 as well).
The reoccurring theme with each is that the session expiration can be moved to a duration of 30 days, BUT the non-configurable inactivity timeout would make this redundant, seeing as the user would be logged out after 3 days of inactivity.
@jmangelo brings up some secret/potential/theoretical plans to provide auth0 users a way to configure expirations/timeouts:
I can let you know that there are plans to give you more control and flexibility over the session in question which would likely meet all your requirements, but at this time there is not yet definitive information about this.
However, the information I have is that we may want to provide something completely different then just a value setting, for example, a way to define a policy that would evaluate when the session could be reused or considered no longer valid. The side-effect of being more flexible is that it will require more time and meanwhile if just another setting was available it would be another thing that in future could require a migration.
As others in the linked threads, I’m all for a more flexible approach. However, I hope that auth0 realises that I can’t do much with promises today.
On June 17 @jmangelo wrote that he brought up the issue of extending the inactivity timeout - since I cannot comment under any of the threads linked (they’re all closed) -
I’ve created this topic to ask about it here.
We’d really appreciate:
Increasing/lifting the limit of inactivity timeout (at least until the flexible ruleset has been implemented)
Letting us know of any potential workarounds that would not break our SPA / API stack
Giving us a somewhat definitive timeline on the flexible features that have been hinted at
- Counting on auth0’s understanding nature
andreas
Thank you for the feedback @ajv, we are always looking for ways our customers use and how they would like to see it grow. I would highly recommend sharing these details over at Auth0: Secure access for everyone. But not just anyone. so the request can be further documented. Thanks again!
Please keep in mind that not every employee might be knowledgeable about what is happening with a particular product request. Ultimately, the feedback form ensures that Product Managers like myself can see your particular feature requests and respond appropriately.
So to the specific questions:
We are working to increase the inactivity timeout limit and define what that will look like. We spent a lot of effort this year in rearchitecting the underlying session management and SSO infrastructure so that we could handle this and other session related features. Before fully enabling this capability for all cloud customers we still have some additional engineering and product work to ensure that we don’t negatively impact reliability, and that we know exactly where this feature falls in our overall product portfolio.
I am not aware of any workarounds for the current session limits.
We are not ready yet to provide a definitive timeline on when this feature will be delivered. I know it is frustrating as a customer to not be able to deliver the User Experience you want in your apps due to a limitation of a service vendor. As the product manager who owns this feature, I share your frustration, as this is not the experience I want you to have. Please bear with us as we work to bring a significantly improved session management capability to our products.