Hi, I’m trying to implement a SPA with some pages keeping the user logged in as long as possible, but I think got confused from accidentally having tenant idle session timeout set to the same time as max refresh token lifetime. (because I thought that it was how long one given refresh token was usable, not the whole series) this and having useRefreshTokensFallback enabled caused both increasing and decreasing the token lifetime to increase the login time. can someone verify that this is correct:
- max refresh token lifetime tells how long the user is allowed to rotate a series of refresh tokens.
- idle refresh token lifetime ends the series if the user has not done a rotation before the set time limit.
- refresh tokens exist outside of the actual auth0 session, so a series of refresh tokens can last a year while an auth0 session can only last 30 days. (depending on plan)
- rotating a refresh token does not keep the auth0 session alive.
Thanks
Hi @henrikb
Welcome to the Auth0 Community!
I am sorry about the delayed response to your inquiry.
To answer your questions:
- By enabling the
Maximum Refresh Token Lifetime setting, the refresh tokens will be set to expire after the set amount of time regardless of the activity of the user, meaning that if you have set the lifetime to be 3 months for an user authenticated in January, the refresh tokens will expire in April. Also, as mentioned by our documentation:
Maximum Lifetime: Set a refresh token or refresh token family lifetime after which the user must re-authenticate before being issued a new access token. If you disable this setting, the maximum lifetime will be indefinite.
- The
Idle Refresh Token Lifetime will invalidate the refresh token if the user has been inactive for the set time period within the application. As you have mentioned, if an user does not authenticate or rotate their tokens, the tokens will get invalidated. This is also mentioned in the documentation linked above:
Idle Lifetime: Set the idle lifetime of issued refresh tokens to expire if the user is not active in your application during a specified period.
- Basically, refresh tokens are used to retrieve a new access token from Auth0 in order to not disrupt an user’s session. We usually refer to this as offline access. Retrieving an access token to continue the user’s session inside the application, as you have said, does not refresh the Auth0 user sessions since the user was not forced to re-authenticate, but have their application session extended. I would recommend reading about sessions in our documentation.
If you have any other questions on the matter, let me know!
Kind Regards,
Nik