I have looked all around for this and read through the docs but still cannot seem to find the exact answer I am looking for.
I have a web app using auth0 that requires inactivity timeout of 20 minutes. I am using @auth0/auth0-react to manage everything in the react application.
The problem I is I cannot figure out how to correctly manage the session expiration due to idleness. Everything I have read in the docs says that the session activity is updated when calling /authorize endpoint which auth0-reacts getAccessTokenSilently does when the token is expired or if its going to expire within a minute. My current auth0 settings are:
- session idle expiration 20 minutes
- max session expiration 24 hours
- access token expiration 10 minutes
Consider this scenario.
- User logins in at 11:01
- User does some things in the app until 11:08 then stops and session has not been updated yet because token is valid
- User does not do anything until 11:25 but at this point the session is expired (as of 11:21) and so is token
Now, considering the user stopped all activity at 11:08 the desire is for the session to expire at 11:28 due to inactivity. I assume this is a fairly common use case and admit I likely am overcomplicating this and just not doing it right.
My current approach which does not handle all scenarios is to track mouse clicks and key strokes and debounce them, do a check on when token was issued to say if the token was issued more than 2 minutes ago → when true call getAccessTokenSilently with 'cacheMode': 'off' to get a new token and update session activity.
Help is greatly appreciated it.