Problem statement
As part of an upcoming compliance audit for a potential customer, we need to be able to demonstrate a documented timeout for Auth0 Dashboard authenticated sessions when accessing our tenant settings.
Solution
In the current Dashboard Session length, there are two sessions at play:
- The "
auth0.auth0.com"session is configured to expire after 3 days of inactivity or after 7 days since the last interactive login - This session applies to the Support Center (support.auth0.com), Community (community.auth0.com), docs (auth0.com/docs), main Auth0 website (auth0.com). - The Auth0 Dashboard session (from
manage.auth0.com). This one lasts 12 hours. This session plays if you leave the Auth0 dashboard tab open. You will be logged out after 12 hours, both from the Dashboard and from Auth0 (auth0.auth0.com). If you close the tab, the default session lifetime is the 3-day rolling session, up to a maximum of 7 days.
If the user uses any available external identity providers to log in (like any social identity or an identity provider configured for SSO with the Auth0 Dashboard), then a third session is at play. E.g., if you click on “Continue with Google”, Google won’t prompt the user to log in if they are already authenticated with Google.
Q. Can the session duration be changed?
A. Not for public cloud. For private environments, the session duration can be configurable.
Q. Can the session change dynamically for a tenant/user?
A. No. It’s the same for everyone.