I’ve asked about that before (1)]1, and there was a similar question recently (2)]2, but just to re-iterate: is it possible to set token expiration time for each connection for the tokens that target an API?
Currently, I can set token lifetime per-API separately for non-interactive clients (via
token_lifetime) and web flow clients (via
token_lifetime_for_web, which btw is not documented in (3)]3).
However, I would like to have further configurability for my web clients on a per-connection basis. Namely, for my passwordless
google-oauth2 or other social connections - a longer one (e.g. 24h).
Would there be any other way to enforce that on Auth0 server-side?
My ultimate goal is to allow clients to use social connections on their personal computers for longer sessions in my SPA, but to only allow short sessions if they log in from a ‘public’ computer using a temporary code (which they would not otherwise entrust with their Google etc. credentials).
One workaround may be to create a timeout in my client code that, depending on the connection used to obtain the token, will simply remove the token from localStorage after a period of inactivity, and trigger re-authentication. That seems to be achievable with some workarounds, but I’d still like to know if there is a better way.
Thanks a lot!