The service that my team is implementing is getting users’ login history through the log events.
Now, we are only getting log events that are either “Success Login” or “Failed Login”.
Recently, we found out that there are users who only have “Success Exchange” in the log events for 90 days, so we get “empty” logs when we are trying to get the users’ login history.
May I know what are the conditions that cause events “Success Exchange” and “Success Login” happening?
Success Login refers to when a user fully does a new authentication into Auth0.
Success Exchange can refer to a lot of things, you have to look at the actual logs to interpret them.
If the user has a refresh token that lives for 90 days, they wouldn’t need to log back in until the refresh token expires. They would keep having Success Exchange (specifically a sertft) until the refresh token grant is expired or revoked.
Thanks for sharing that with the rest of community!
Thank you for the reply!
Sorry that I am not quite familiar with refresh token, so I would like to confirm whether if the “Success Exchange” event happens continuously is only because of refresh token. By the way, I had checked the details of log, it is “Successful exchange of Password for Access Token” (sepft).
The application our users are login to is a “Machine to Machine” application, which has none of “Refresh token rotation” and “Refresh token expiration” enabled. Whenever user “logins”, it is actually getting new access token and id token. (We are using C# AuthenicationApiClient.GetTokenAsync())
I had also checked the device credentials of the user is holding using Management API (/api/v2/device-credentials). The user is having zero device credentials , but still getting “Success Exchange”.
So, is refresh token still the reason for user getting “Success Exchange” in log events?
If it is not, what kind of action will cause “Success Exchange” event change back to “Success Login”?
Are you using the Resource Owner Password Flow? I’m not too familiar with how Auth0 handles this. It seems like the grant gets tracked as a
sepft; whereas logging in with something like an Authorization Code Grant would track both a Success Login and a
seacft (another kind of Success Exchange).
Yes, we are using the Resource Owner Password Flow. It seems like login/getting access token using this flow only returns “Success Exchange” in log events…
I’d like to confirm whether if Resource Owner Password Flow does not return “Success Login” or “Failed Login” events at all. May I know that is there any documentation that talks about this, or should I open a new post to ask about this specifically?
I would guess that Resource Owner flow wouldn’t give a successful login because it doesn’t actually involve the auth0 login screen, meaning the user hasn’t actually logged into Auth0. You would probably need to interpret a
sepft as a successful login and
fepft as failed (unless you don’t use refresh tokens, then it’s more complicated).
I see…Thank you for the suggestion and all the replies!