I have an app in nextjs, I’m using the official auth0 sdk, I would like to keep id_token and access token short live (~30sec), the cookie in the app should update itself in order to expire always after 15min, if the user doesn’t interact with the app after 15min I should be logged out…if the cooke expire without an interaction I should be force to re-login and all the token must be useless…I’m a bit confused on how I should achieve this, my idea is to set:
- tenant: Inactivity timeout = 15min
- api: Token Expiration For Browser Flows / Token Expiration to 30 sec
- app: id token in the app 30 sec
- app: Refresh Token Rotation 120 sec (but it should be >30sec if I’m not wrong)
- app: Refresh Token Expiration absolute lifetime 3600 / inactivity 900 sec
are these the correct settings?
with these setting sometimes I get:
The access token expired and a refresh token is not available. The user will need to sign in again.
Thanks for reaching out to the Auth0 Community!
Yes, these settings will accomplish what you seek. However, you’ll also need to set the Token Expiration (Seconds) to 30 seconds in your API settings. See Update Access Token Lifetime for more details.
And in regards to the message you get, it’s referring to your Refresh Token Rotation expiry time. Because you’ve set the reuse interval value to 120 seconds, you’ll encounter the scenario where the access token expires within 30seconds but cannot get another access token while it is within 120 seconds from when the access token was originally requested. Therefore, as you observed, you must wait out the remaining time before you are allowed to reuse the refresh token to obtain a new access token.
In this case, you’ll need to change the Refresh Token Rotation reuse interval value to 30 seconds. Once that’s complete, you should have a rolling session.
Please let me know if there are any questions or concerns. I’d be happy to help.
Hello @rueben.tiow ,
thanks for the answer, I’ll try that solution, I have one more question, reading through issues/articles in the repo I read that the refresh token should used only with SPA app, and they suggest to add
offline_access as scope and enable the
offline_access in the api. which solution is better between these 2?
Thank you for your response.
I believe in this case because you are using a regular web application with the Auth0 Next.js SDK, you’ll need to use the
offline_access as a scope and enable
offline_access in your API. This is the preferred approach.
Refresh Token Rotation is used for maintaining sessions in SPAs because there isn’t a persistent storage mechanism to store long-lived refresh tokens securely. This is explained in greater detail in our Refresh Token Rotation documentation.
Hoped this helps!
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.