I am new to oauth2 and auth0 world.
I am writing a chrome extension that works when the user is playing a youtube video on chrome browser. I need basic user information (username and email). The purpose is to get information on user’s behaviours on how they use the extension.
So I use auth0 services to authenticate user. In the code I do a GETrequest on https://${domain}/authorize
and pass scope as openid profile email
. I get access token and id token - which is parsed and user information is obtained successfully. My app is registered as SPA (Single Page Application) in the auth0 settings.
The user information (name and email) is stored in chrome local storage. The first question is when to re-authenticate the user. The user may use my extension only for some duration at various times. However in between two usages, she might have closed the browser, or might have signed out of youtube/google and someone else might have signed in. How do I know that now is the time to ask the user to sign in again? Till how long can I assume that the previously received user information is still valid?
The next question is: at the time of reauthentication, is there a way I can verify that the same user is still logged in and hence it need not prompt the user and just re-authenticate in background? I did try prompt=none
in the authorize
GET request. But I get an error that login is required.