My company has a restriction that our access tokens need to be valid for 15 minutes (which I got working) and the refresh token is valid for 30 minutes (which I’m having trouble with).
If the user steps away from the application (It’s in react) for longer than the 30 minutes of the refresh token, the user needs to be taken back to the login page.
My problem is, I’m never getting kicked out to the login page.
To shorten my test I tried to be kicked out after 5 minutes, so I’ve put the following settings:
In the applicaiton:
ID Token Expiration = 300 seconds
Absolute Lifetime = 300 seconds
Inactivty Lifetime = 299 seconds
In the api:
Maximum Access Token Lifetime: 120 seconds
Implicit / Hybrid Flow Access Token Lifetime: 120 seconds
I don’t really know what configuration is wrong and how I can accomplish this scenario.
CSOC won’t allow us to go to production unless we figure out how to have the inactive users back to the login page after 30 minutes of inactivity.
Hi @bmiranda ,
Welcome to the Auth0 Community!
I recommend checking these articles on how to log user out after inactivity:
Problem Statement:
In our tenant we have non-persistent sessions enabled. But when the tab, window, or browser is closed and reopened, the session persists.
Solution:
There could be a couple reasons for sessions persisting. The browser being used, the browser settings, and the operating system all can affect this feature.
If the user has a session restore setting on the browser enabled, restoring the session also restores the session cookie.
Additionally closing the tab by itself is not eno…
Please let me know if you have any further questions.
Thanks,
system
October 10, 2024, 12:05pm
4
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.