Renew access token without reference token

Hi,

I have the following scenario:

  1. A user visits my SPA (web).
  2. The user logs in and receives an access token that will expire in, let’s say, 1 hour. The token is stored in local storage.
  3. An hour is passing by and the user is still using the application.
  4. The user has to re-login and loses unsaved work

As I understand there are a few different solutions:

  1. Refresh token. But this is not to prefer in a SPA (since there is no safe place to store the Refresh token)
  2. Extend the lifetime. The problem will remain. Even if I set the lifetime to one day the user can leave the browser open and get back to work right before the time expires.
  3. Silent Authentication but that requirer SSO which I do not use.

What is the best practice?

Ideally, I want to keep the user logged in for a week and if the user visits the site within that week the session should be extended. Meaning; if the user keeps coming back the user will be logged in forever. Is this possible?

Is it possible to get a new access token from an existing one (that is still valid)?

Thanks.

1 Like

There’s two things that expire: tokens and the session.
Even though your token might expire in 1h, your session might take longer, so you can always ask for new tokens. So, if you know that the access_token has expired, call webauth.checkSession to get a new one. If it returns login_required, that means that the session has expired, so the user will have to login again. More info: Auth0.js v9 Reference