IN A BRIEF:
Silent authentication (aka renewAuth) is the proposed method to renew expired access tokens (API tokens) for SPA apps using implicit flow. It is also proposed as a replacement for the old API which used id tokens and refresh tokens and should be the new standard way for web tokens renewal in SPAs.
This solution is currently based on a session handled by Auth0 during login via hosted page, but some scenarios are severely limited due to:
- The maximum session timeout is configurable, but limited to 30 days max
- Max inactivity for the user is fixed at 3 days, not configurable
This makes impossible to cover some scenarios:
- “Remember me” feature, which allows the user to stay indefinitely logged in until explicitly logged out
- Avoid to reenter credentials if the usage patter of the user is longer than 3 days
The proposed workaround is to transform the SPA into a regular web app bootstrapping the SPA, use authorization code flow and manually handle sessions and refresh tokens on a server. This prevents static hosting, makes development much more complex and requires to re-implement sessions which are already implemented in Auth0.