Hi,
Do I understand correctly that with Refresh Token we can allow user to be authenticated for 30 days without the need to go through the login form?
Since we have Refresh TOken absolute lifetime set to 1296000 which is 30 days and Inactivity lifetime to 1296000 (15 days) a user should be forced to login every 15 days if not using the app and every 30 days when using the app?
1 Like
Hi @lukaszkorona,
The refresh token is used to obtain a new access token, but cannot be used to “refresh the session”.
The login session is determined by the Session Lifetime Limits. These settings will determine when a user is prompted to login.
Hope that helps!
1 Like
It does but why is it like that? Is it part of the specification or a security concern? I’m trying to understand it because from our perspective session limits are very low. Especially Inactivity timeout (max 3 days).
We have users logging in every few days and we see high dropout rate on the login form.
Does the limits also apply to native apps?
From what I can find, the OAuth2 spec makes no mention of refreshing a session with the refresh token, and limits the token’s scope to fetching a new access token.
I can also clarify my initial response: There are multiple layers of sessions happening, and even the though the Auth0 Session has expired does not immediately result in the Application Session expiring.
For example: A refresh token can be used to retrieve access tokens for the configured time period, even when the Auth0 Session Layer has expired. This would essentially allow the (native) application to retrieve tokens and continue the Application Session even when the Auth0 Session has reached it’s limit. The Session Lifetime settings are separate from the Refresh Token Lifetimes. This FAQ illustrates it: Inactivity Expiration with Refresh Token
We also offer a Long Lived Sessions feature with enterprise subscriptions. This feature allows you to configure your Auth0 session to inactivity timeouts of up to 100 days.
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.