I am trying to use the max_age property to force reauthentication of the user. I’m unable to get it to work with auth0Lock v11.3 for Javascript. I’m passing max_age to my lock through the options. I see that the max_age value is getting sent to the authorize endpoint. But it is not working. I have also added the “auth_time” claim value to the id token like this documentation states
Force Reauthentication in OIDC.
is this supposed to work with the classic login?
Side note: In the documenation (alot of your documentation) there are many links that are not even available anymore.
Hi @nikhil.batta,
Yes, it works with the Classic Universal Login Experience on Auth0 Lock v11.3, as well as, the current v12.1.0.
You will need to make a login request something like the following:
https://{yourDomain}/authorize?
response_type=code&
client_id={yourClientId}&
redirect_uri={https://yourApp/callback}&
scope={scope}&
audience={apiAudience}&
state={state}&
max_age=0
Please let us know if you have any additional questions.
Thanks,
Rueben
I am using the auth0 lock configuration options to pass the max_age value.
I create the auth0lock options like this
and then pass them to the lock like this
I have verified through the “network” tab that the max_age is being passed as a parameter to the authorize call. I am still having no success in being forced to reauthenticated after 30 seconds.
Maybe I’m doing something wrong?
Hi @nikhil.batta,
Thanks for the update.
Could you please capture your login events in a HAR file and send them to me as a direct message to investigate further?
Thanks,
Rueben
