Refresh Token and Session Management

Last Updated: Sep 16, 2024

Overview

This article details how to keep the sessions alive for longer periods of time, even without user activity.

Applies To

• Refresh Token
• Session Management

Solution

The Absolute Lifetime is for the refresh token (See Configure Refresh Token Expiration ). If this setting is disabled, the absolute lifetime will be indefinite, as stated in the document.

The default Access Token expiration is 24 hours, and ID Token expiration is 10 hours. Refer to these documents for more information:

• Update Access Token Lifetime
• Update ID Token Lifetime

Some areas of consideration for session and token lifetimes and where to find them in tenant and application settings:

A. Dashboard > Applications > APIs > API setting

Token Settings > Token Expiration/Token Expiration For Browser Flows [for testing purposes, set shorter intervals like 60 seconds]

• This is the expiry of the Access Token.
• Once this time has elapsed and the user performs any activity on the page, the silent authentication process is triggered, and the new Access Token is issued.
• The allowed maximum expiration value is 2592000 in seconds (30 days) for access tokens issued.

B. Dashboard > Applications > Applications > Applications setting

Refresh token: A Refresh Token is a special kind of token used to obtain a renewed access token.

• Configure Refresh Token Expiration

Refresh Token Rotation > Rotation: enable this and every time an application exchanges a refresh token to get a new access token, a new refresh token is also returned.

• This interval helps to avoid concurrency issues when exchanging the rotating Refresh Token multiple times within a given timeframe. During the leeway window, the breach detection features do not apply, and a new rotating Refresh Token is issued. Only the previous token can be reused; if the second-to-last one is exchanged, breach detection will be triggered.

Refresh Token Expiration > Absolute /Inactivity Lifetime: [for testing purposes set shorter intervals like 80/ 20 seconds respectively]

• This is the expiry of the Refresh Token which is used to get a new Access Token.
• Once this time has elapsed and the user performs any activity on the page, a Refresh Token is issued.
• This will issue a new Access Token.

C. Dashboard > Settings (tenant setting) > Advanced > Log In Session Management > Inactivity timeout

The Tenant Session Management applies to the session (as represented by a cookie in the Auth0 tenant domain). If the Auth0 session (tenant inactivity in tenant settings) is expired, the user must log back in. The Refresh Token will not allow you to establish a new Auth0 session. The user will be forced to re-authenticate after 100 days of inactivity, after 365 days even with activity, or fewer days, depending on the tenant settings.
It is described in detail here: Session Lifetime Limits.