According to this community post, rolling session durations should be kept consistent between the SDK and Auth0 (“Inactivity timeout”). However, each session layer has different ways of keeping a session active.
To my understanding, the Auth0 inactivity timeout can be refreshed by interacting with the Authorization server through two means:
- logging in (
/authorize
) - getting an access token, or exchanging a refresh token (
/oauth/token
)
Whereas in the application session layer, there are more opportunities for the inactivity timeout to be refreshed (e.g. every request updates session). Relatively, the Auth0 session sees low levels of activity in regards to rolling a session.
In fact, the Auth0 session can even expire while the application session is still active – given that there had been no interaction with the Authorization server in the rolling session duration, but the user had been active in the application.
Are there any best practices to avoid such inconsistency? What are the implications of Auth0 session expiring before the app session? It sounds wrong for the session to expire in Auth0 but remain valid in the app.