Usingreact-native-auth0 with “Allow Refresh Token Rotation” enabled, our app allows users to stay logged in for the “Maximum Refresh Token Lifetime” which we have set to a year. We call getCredentials() to get the accessToken for api calls which i assume refreshes if necessary. Great.
Using an identical auth0 configuration for our @opennextjs/cloudflare webapp which uses @auth0/nextjs-auth0, users are routinely logged out after a few days, even though we similarly call getAccessToken() for the api calls.
What is the recommended approach to keep users logged in for a month or more using token rotation in cloud-based next.js webapps?
Many thanks.
Hi @philipbattle
Welcome to the Auth0 Community!
Can you please share what is your current:
- Refresh Token configuration inside the Auth0 Dashboard
- Session lifetime configuration under Dashboard → Settings → Advanced
- You SDK configuration → Do you use
refresh: true when using getAccessToken() or are you passing in the offline_access scope and the proper audience?
From what I understand, the token refresh might be failing on your web application because the user’s session is being terminated due to inactivity or has expired (due to the tenant settings). Since the application is trying to refresh a session that does not exist, it basically logs out the users.
Looking forward to your reply!
Kind Regards,
Nik
Hi again @philipbattle
Since you have not replied back, I will be marking my previous reply as the Solution.
If you need further assistance, you can let me know or you can post again on the Community!
Kind Regards,
Nik
Hi Nik,
Many thanks for the quick response an apologies for my slow one.
Here is the Refresh Token configuration inside the Auth0 Dashboard for our production tenant:
And here is the Session lifetime configuration under Dashboard → Settings → Advanced:
Regarding the SDK configuration, we do not use refresh: true when using getAccessToken() and we do set offline_access scope and the proper audience.
As you clearly suggested, termination of the user’s session due to inactivity looks like the most likely reason. Our Idle Session Lifetime is set to a default 4320 minutes (3 days), which is likely causing our none active users to be logged out, but i see 3 days is the maximum allowed value…
Kind regards.
Philip
Hi again @philipbattle
Thanks for the updates regarding the matter.
After further investigation, I realized I have overlooked the fact that you are using a nextjs based application with cloudflare.
To provide more information on the matter,the issue might be caused by the fact that the nextjs-auth0 SDK enforces its own session lifetime logic via cookies, which is independent of the Refresh Token’s validity in Auth0. By default, the SDK has a hard session limit (Absolute Duration ) of 7 days and an inactivity limit (Rolling Duration ) of 24 hours . Even if your Refresh Token is valid for a year, the SDK will discard the session cookie after 7 days (or 24 hours of inactivity) unless you configure it otherwise. More information on the above can be found here.
Otherwise, set these values in your .env or within your Cloudflare wrangler.toml/Dashboard:
#Values for a 30 day sesison
AUTH0_SESSION_ABSOLUTE_DURATION=2592000
AUTH0_SESSION_ROLLING_DURATION=2592000
#Values for 1 year session (if necessary)
AUTH0_SESSION_ABSOLUTE_DURATION=31557600
AUTH0_SESSION_ROLLING_DURATION=31557600
#Ensure the session cookie updates on every visit
#You most likely already have this enabled
AUTH0_SESSION_ROLLING=true
Please be mindful of the cookie size limits imposed by Cloudflare where if they are too large, you will encounter 502s and 400s errors. Just make sure your claims inside the user session are not exceeding this limit.
Let me know if the above is helpful!
Kind Regards,
Nik
