Is there any suggested way to use Auth0 for long-term web authentication? I’ve seen various other threads suggesting that it’s impossible to keep a user logged in if they don’t use your web app for more than 3 days, and even if they use it every day, it’s impossible to keep them more logged in for more than 30 days.
Is this accurate? It does seem reasonable as a default, but it’s a very harsh hard limit. I can think of lots of popular web applications that keep me logged in more or less indefinitely (certainly for more than 3 days inactive), and I suspect many users assume this behaviour by default. More practically, indefinite authentication with manual revocation is a strict requirement for my current project.
For context, the only data I store associated with users is their email & current subscription status. Even in a browser, I think the chance of a refresh token being leaked is very low, and the damage if that does happen is minimal (other than the leak of their email address, it’s entirely to my own business: if user B steals a token then they can use user A’s subscription). As a hard requirement though, I do need to be able to confirm users’ subscription status reliably without asking them to log in every week, and I really don’t want to have to build my own authentication infrastructure to do so.
Is there any way (even if normally strongly discouraged) to use refresh tokens on the web, so I can work around this?