Auth0 Home Blog Docs

RenewAuth not using HostedLogin page

renewauth

#1

Back in June , jmangelo suggested in this message https://community.auth0.com/questions/2680/remember-me-functionality-in-a-spa-with-custom-log that there was some work going on to allow renewAuth without using the hosted login page, i.e. your own custom page on your own domain.

As you can imagine this is critical for many users creating custom login experiences. I was wondering if we could get an update on when this functionality might drop as I’m trying to schedule development resources. Happy to be a beta tester :slight_smile:


#2

Although I can provide you with an update I can’t provide what would be the most interesting information for you; an exact date for the availability of the feature. The functionality touches a few different aspects of the system and there’s also several parts that need to be documented together. If you go spelunking through client-side libraries you’ll see some parts of the implementation, but this is not yet advertised because it still needs to go trough final review. If I had to talk about dates and only providing a personal feeling about what’s left I would say the next few months, but don’t take this as granted, it could be sooner or later.


#3

Thank you for the update, I appreciate your help. So I guess in the short term my best bet would be to simply increase the expiration time of the id and access tokens?


#4

@jculverwell you asked the question I was just about to ask today! Interested to hear what flow you end up doing if you stay with non-hosted login page.


#5

Thank you for the update, I appreciate your help. So I guess in the short term my best bet would be to simply increase the expiration time of the id and access tokens?


#6

@jculverwell you asked the question I was just about to ask today! Interested to hear what flow you end up doing if you stay with non-hosted login page.


#7

If your security requirements allow for it, for example, the application in question does not have very specific security requirements then increasing the expiration of the access token will indeed mitigate this as it will reduce the number of times a new token would need to be obtained.


#8

But the only way to get a new one is to have the user login again, right? So there’s no real way to have a sliding window of access based on activity - you’d need to have the user login again when the current token is about to expire. Hopefully I’m missing something here!


#9

Thanks jmangelo for following up on this. A blocking issue with increasing the expiration time is that the maximum you can increase it for is one day. The ‘Token Expiration For Browser Flows (Seconds)’ setting forces a maximum value of 86400 seconds.


#10

Hi Brad, I’m in Australia (Sydney) I’m free anytime for the next 12 hours and also tomorrow


#11

Hi Brad,
Do you have time for skype call? I’d be interested to share my approach and what you guys are doing? My skype user id is jculverwell


#12

Hi Jim
Thanks
Will see about contacting you later today.


#13

@jculverwell When is a good time?


#14