We have a client using Mimecast for their corporate email security. It seems to be disrupting the login session or state as they are having to continually login after closing their browser.
We’ll be reaching out to the client to see if a whitelist policy can alleviate the problem but are there any workarounds on the Auth0 side? Can anyone explain what is happening? We’re using PCKE flow and refresh token rotation with reuse interval of 0. Would increasing the reuse interval help?
Our current theory we have is both Mimecast and then the actual user is using the same refresh token and causing a breech detection.
We could angle the problem from the perspective of access and refresh tokens storage options.
If the browser properties are leveraged to provide some storage persistence (so that refreshing or restoring a page with your app doesn’t result in a requirement to log in again), roughly two scenarios occur:
local storage property is used which allows persistence over switching to different tabs with your app or reopening a browser.
If you have initiated your auth0 sdk with this option and still encounter the issue, it could potentially mean that some other process clears local storage once the browser is closed.
page session storage / browser in-memory property is used which allows storing as long as a particular tab is open and (in case of some browsers) is immune to page reloads, but not persistent over switching to a different tab or reopening a browser.
If this logic is used in your app, the behaviour experienced by users seems to be expected.