PKCE vs credentials grant token lifetime

We have two types of authentication to an API.

  • One is where users log in through a react app on the web using the @auth0/auth0-react package, PKCE grant.
  • The other type is machine to machine access using a client credentials grant flow.

We are trying to configure two different token lifetimes for these two different flows. Here’s how we have it configured in the yaml config:

    token_lifetime: 86400
    token_lifetime_for_web: 1800

So, basically we want our web clients to have a token timeout of 30 minutes and our M2M tokens to have a timeout of 1 day.

The problem: when we log in using the web flow it uses the token lifetime value for our web tokens. We were surprised as there is a configuration value specifically for web.

Is there some way to get our React app to use tokens with a lifetime shorter than the token lifetime used by M2M applications?

Thanks community! :slight_smile:

1 Like

Hi @corylogan , welcome to the community!

PKCE flows use the token_lifetime setting and is expected.

The “Token expiration for Browser Flows” / token_lifetime_for_web option is only used for Implicit and Hybrid flows:

1 Like

Thanks so much for the input @sgo.

So, wondering then, how can we have different token lifetimes for our M2M tokens and our PKCE tokens? Is that not possible?
We have security requirements for our web facing applications, but we don’t want to burn tons of M2M tokens as we have a monthly quota to try and stay under.

Thanks!

1 Like

Hey @corylogan

I don’t think this is possible easily - the token expiration is associated with the API, not the application.

You CAN do this by defining two different APIs in Auth0, one for the M2M application and one for the user facing app. Your actual API would then have to accept both kinds of tokens (they would have different audiences, but the same signing keys)

John

1 Like

@john.gateley I’ll confess, I don’t love it. But this is a workable solution! So thanks so much for that! We may go about implementing it like this.

Cheers,
Cory

1 Like

Glad we have some kind of solution! Teamwork makes the dreamwork!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.