PKCE vs credentials grant token lifetime

corylogan · April 30, 2021, 12:25am

We have two types of authentication to an API.

One is where users log in through a react app on the web using the @auth0/auth0-react package, PKCE grant.
The other type is machine to machine access using a client credentials grant flow.

We are trying to configure two different token lifetimes for these two different flows. Here’s how we have it configured in the yaml config:

    token_lifetime: 86400
    token_lifetime_for_web: 1800

So, basically we want our web clients to have a token timeout of 30 minutes and our M2M tokens to have a timeout of 1 day.

The problem: when we log in using the web flow it uses the token lifetime value for our web tokens. We were surprised as there is a configuration value specifically for web.

Is there some way to get our React app to use tokens with a lifetime shorter than the token lifetime used by M2M applications?

Thanks community!

sgo · April 30, 2021, 2:20pm

Hi @corylogan , welcome to the community!

PKCE flows use the token_lifetime setting and is expected.

The “Token expiration for Browser Flows” / token_lifetime_for_web option is only used for Implicit and Hybrid flows:

corylogan · May 1, 2021, 12:13am

Thanks so much for the input @sgo.

So, wondering then, how can we have different token lifetimes for our M2M tokens and our PKCE tokens? Is that not possible?
We have security requirements for our web facing applications, but we don’t want to burn tons of M2M tokens as we have a monthly quota to try and stay under.

Thanks!

john.gateley · May 3, 2021, 4:41pm

Hey @corylogan

I don’t think this is possible easily - the token expiration is associated with the API, not the application.

You CAN do this by defining two different APIs in Auth0, one for the M2M application and one for the user facing app. Your actual API would then have to accept both kinds of tokens (they would have different audiences, but the same signing keys)

John

corylogan · May 3, 2021, 5:46pm

@john.gateley I’ll confess, I don’t love it. But this is a workable solution! So thanks so much for that! We may go about implementing it like this.

Cheers,
Cory

konrad.sopala · May 4, 2021, 9:45am

Glad we have some kind of solution! Teamwork makes the dreamwork!

system · May 19, 2021, 9:46am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Token Expiration for PKCE flow(used in auth0-js-spa SDK) Help attack-protection , general-attack-protection	2	1329	March 28, 2023
M2M and Web App Token Lifetimes Knowledge Articles token , m2m-tokens , token-lifetime , api-token	1	191	June 5, 2024
Token expiration Help pkce	2	3133	June 9, 2020
Set different access token expiration depending on application grant type? Knowledge Articles access-token , expiration , grant-types	1	1119	August 11, 2023
What's the limit for API Token Expiration For Browser Flows (Seconds)? Help api-authorization	9	12141	March 2, 2018

PKCE vs credentials grant token lifetime

Related Topics