Need access to Absolute Expiry of refresh token in the UI

Screenshot 2023-04-23 at 14.03.49

I have a requirement to show a prompt to the user when he/she is approaching the absolute expiry of a refresh token.

The prompt will read something like:

“For security reasons your session is about to expire. In 1 minute you will be logged out.”

In the UI (react application) How can I determine how long the user has left until the refresh token absolute expiry time is reached?

Hey there @tkiddle welcome back to the community :slight_smile:

The only way I’m aware of retrieving that value is via the Management API get client by id - token_lifetime in particular:

Given that this does require using a Management API access token, you’d want to be sure and proxy this through a backend as outlined in the following FAQ:

Hope this helps!

2 Likes

I was hoping this wouldn’t be the answer. :slight_smile: What I actually need is a timestamp relating of the date/time of absolute expiry. Ideally this should be sent down with the response from getTokenSilently. This would allow me to track the time until the user is to be auto logged out so I can show a message to the user ahead of time.

Hey @tkiddle thanks for the further explanation - I guess I am unclear why you need the absolute expiry of the refresh token? The user’s session (at Auth0) is entirely separate from the expiration of the refresh token.

The following topic may be useful as well:

Keep us posted!

1 Like

Thanks for sharing the link to that other thread, unfortunately, that is a different problem (inactivty time out not, absolute expiry); but one I also need a solution for. The proposed in that thread doesn’t’ solve the problem.

Heres the scenario:

Absolute expiry time: 60 minutes

  • User logs in
  • The user starts performing their daily tasks and does so continuously
  • X minutes before the absolute expiry is reached a message should appear in the UI that reads:

“For security reasons your session is about to expire. In X minutes you will be logged out.”

How can I achieve this without being able to see the time/date of absolute expiry in the getToken response?

I have a similar request. If I use the expiry from the access token to notify the user that their session is about to time out or has already timed out, it is likely that they will be redirected to log in and then automatically redirected back to where they were. This seems like an undesirable workflow. It would be useful to be able to directly obtain the date-time when their session will become invalid due to inactivity.