Hi, I’m trying to implement a SPA with some pages keeping the user logged in as long as possible, but I think got confused from accidentally having tenant idle session timeout set to the same time as max refresh token lifetime. (because I thought that it was how long one given refresh token was usable, not the whole series) this and having useRefreshTokensFallback enabled caused both increasing and decreasing the token lifetime to increase the login time. can someone verify that this is correct:
- max refresh token lifetime tells how long the user is allowed to rotate a series of refresh tokens.
- idle refresh token lifetime ends the series if the user has not done a rotation before the set time limit.
- refresh tokens exist outside of the actual auth0 session, so a series of refresh tokens can last a year while an auth0 session can only last 30 days. (depending on plan)
- rotating a refresh token does not keep the auth0 session alive.
Thanks