Usingreact-native-auth0 with “Allow Refresh Token Rotation” enabled, our app allows users to stay logged in for the “Maximum Refresh Token Lifetime” which we have set to a year. We call getCredentials() to get the accessToken for api calls which i assume refreshes if necessary. Great.
Using an identical auth0 configuration for our @opennextjs/cloudflare webapp which uses @auth0/nextjs-auth0, users are routinely logged out after a few days, even though we similarly call getAccessToken() for the api calls.
What is the recommended approach to keep users logged in for a month or more using token rotation in cloud-based next.js webapps?
Refresh Token configuration inside the Auth0 Dashboard
Session lifetime configuration under Dashboard → Settings → Advanced
You SDK configuration → Do you use refresh: true when using getAccessToken() or are you passing in the offline_access scope and the proper audience?
From what I understand, the token refresh might be failing on your web application because the user’s session is being terminated due to inactivity or has expired (due to the tenant settings). Since the application is trying to refresh a session that does not exist, it basically logs out the users.
Regarding the SDK configuration, we do not use refresh: true when using getAccessToken() and we do set offline_access scope and the proper audience.
As you clearly suggested, termination of the user’s session due to inactivity looks like the most likely reason. Our Idle Session Lifetime is set to a default 4320 minutes (3 days), which is likely causing our none active users to be logged out, but i see 3 days is the maximum allowed value…
After further investigation, I realized I have overlooked the fact that you are using a nextjs based application with cloudflare.
To provide more information on the matter,the issue might be caused by the fact that the nextjs-auth0 SDK enforces its own session lifetime logic via cookies, which is independent of the Refresh Token’s validity in Auth0. By default, the SDK has a hard session limit (Absolute Duration ) of 7 days and an inactivity limit (Rolling Duration ) of 24 hours . Even if your Refresh Token is valid for a year, the SDK will discard the session cookie after 7 days (or 24 hours of inactivity) unless you configure it otherwise. More information on the above can be found here.
Otherwise, set these values in your .env or within your Cloudflare wrangler.toml/Dashboard:
#Values for a 30 day sesison
AUTH0_SESSION_ABSOLUTE_DURATION=2592000
AUTH0_SESSION_ROLLING_DURATION=2592000
#Values for 1 year session (if necessary)
AUTH0_SESSION_ABSOLUTE_DURATION=31557600
AUTH0_SESSION_ROLLING_DURATION=31557600
#Ensure the session cookie updates on every visit
#You most likely already have this enabled
AUTH0_SESSION_ROLLING=true
Please be mindful of the cookie size limits imposed by Cloudflare where if they are too large, you will encounter 502s and 400s errors. Just make sure your claims inside the user session are not exceeding this limit.
