Hello. Our application uses the Auth0 SPA SDK for authentication and validation when calling an API.
Our refresh token configuration is as follows:
Maximum ID Token lifetime: 7200 seconds
Idle refresh token lifetime: 1296000 seconds
Maximum refresh token lifetime: 31557600 seconds
Rotation overlap period: 86400 seconds
API access token lifetime: 2505600 seconds
Under this configuration, we have been experiencing a large number of users being forced to log out due to their refresh token expiring, and as such, are considering disabling idle token expiry and relying on token rotation for security concerns.
Are there any recommendations or best practices to handle this?
After reading through your use-case, I would agree that configuring Refresh Token Rotation would be the best course of action. It appears that the users are being force to re-authenticate after 15 days of not using the application, after which the refresh token is expired and a new one needs to be issued.
Maintaining the Maximum Refresh Token Lifetime at 1 year should ensure that the session persists if the users periodically login and trigger the token rotation, and the refresh tokens will only expire after the set period of time.
Leaving these documentations here in case they come in handy, to you and other Community members: