Auth0 Home Blog Docs

Make renewAuth more flexible in terms of session timeouts/inactivity time




Allow to freely configure “renewAuth” sessions timeout, both in terms of max timeout (currently limited now to 30 max days) and in terms of user inactivity (currently fixed to max 3 days and not configurable).


Silent authentication (aka renewAuth) is the proposed method to renew expired access tokens (API tokens) for SPA apps using implicit flow. It is also proposed as a replacement for the old API which used id tokens and refresh tokens and should be the new standard way for web tokens renewal in SPAs.

This solution is currently based on a session handled by Auth0 during login via hosted page, but some scenarios are severely limited due to:

  1. The maximum session timeout is configurable, but limited to 30 days max
  2. Max inactivity for the user is fixed at 3 days, not configurable

This makes impossible to cover some scenarios:

  1. “Remember me” feature, which allows the user to stay indefinitely logged in until explicitly logged out
  2. Avoid to reenter credentials if the usage patter of the user is longer than 3 days

The proposed workaround is to transform the SPA into a regular web app bootstrapping the SPA, use authorization code flow and manually handle sessions and refresh tokens on a server. This prevents static hosting, makes development much more complex and requires to re-implement sessions which are already implemented in Auth0.


Just writing in support of this and asking if anyone has a best practice in Nov 2017 for a workaround (if needed). Wrote about this on the question but maybe better here.

It just seems as though there are so many SPAs now and I’m wondering if I’m behind in security practice by allowing more than 3 days idle. It certainly doesn’t feel that way using most social networks or B2B apps, so I just have to wonder if other people have worked around or if users really don’t mind 3 day idle timeouts. There must be a reason this isn’t a more popular request so I feel like I’m missing something obvious.


For reference, this tracks to this question: