I am confused about how the ID token and access tokens’ lifetimes interact.
I am using auth0-nextjs. All my pages are protected with withPageAuthRequired. I then use getAccessToken to get an access token that’s used with my API. When will the user be required to log in again: when the ID token expires, or when the access token expires? Does it make any sense for the ID token and access token to have different expiration times?
The user will be required to log in again once the access token expires.
Yes, it does make sense because they serve different purposes and do not interact with each other. Since access tokens are used for authentication to allow access to an API, they would typically have longer lifetimes using refresh tokens for extended access.
Whereas, ID tokens are used for authentication to cache user profile information. The session lifetime for ID tokens is typically short-lived for security reasons.
I hope that answers your questions, let me know if you have any more.
Maybe I should have been more clear. What I meant was: when will withPageAuthRequired force a user to log in again? This seems to be when the id token expires, not when the access token expires.
I am having an issue where the access token expires before the id token, even though the access token has a longer lifetime. i.e., the user will still have a valid session, but the access token request fails with ERR_FAILED_REFRESH_GRANT - mfa_required. I’m not sure how this would happen. I suspect it may have something to do with how refresh tokens work for the access token vs the id token. I can see how to configure refresh tokens for the id token: under Application → Settings → Refresh Token Expiration. I can’t find how to configure the refresh token for an access token, however.
According to the documentation:
Refresh tokens are used to request a new access token and/or ID token for a user without requiring them to re-authenticate.
But I can’t find anything about configuring the refresh tokens for an api access token.