I have an app in nextjs, I’m using the official auth0 sdk, I would like to keep id_token and access token short live (~30sec), the cookie in the app should update itself in order to expire always after 15min, if the user doesn’t interact with the app after 15min I should be logged out…if the cooke expire without an interaction I should be force to re-login and all the token must be useless…I’m a bit confused on how I should achieve this, my idea is to set:
tenant: Inactivity timeout = 15min
api: Token Expiration For Browser Flows / Token Expiration to 30 sec
app: id token in the app 30 sec
app: Refresh Token Rotation 120 sec (but it should be >30sec if I’m not wrong)
Yes, these settings will accomplish what you seek. However, you’ll also need to set the Token Expiration (Seconds) to 30 seconds in your API settings. See Update Access Token Lifetime for more details.
And in regards to the message you get, it’s referring to your Refresh Token Rotation expiry time. Because you’ve set the reuse interval value to 120 seconds, you’ll encounter the scenario where the access token expires within 30seconds but cannot get another access token while it is within 120 seconds from when the access token was originally requested. Therefore, as you observed, you must wait out the remaining time before you are allowed to reuse the refresh token to obtain a new access token.
In this case, you’ll need to change the Refresh Token Rotation reuse interval value to 30 seconds. Once that’s complete, you should have a rolling session.
Please let me know if there are any questions or concerns. I’d be happy to help.
thanks for the answer, I’ll try that solution, I have one more question, reading through issues/articles in the repo I read that the refresh token should used only with SPA app, and they suggest to add offline_access as scope and enable the offline_access in the api. which solution is better between these 2?
I believe in this case because you are using a regular web application with the Auth0 Next.js SDK, you’ll need to use the offline_access as a scope and enable offline_access in your API. This is the preferred approach.
Generally, the Refresh Token Rotation is used for maintaining sessions in SPAs because there isn’t a persistent storage mechanism to store long-lived refresh tokens securely. This is explained in greater detail in our Refresh Token Rotation documentation.