Revoking access token after some inactivity

klahnakoski · October 5, 2019, 3:25pm

It is common to revoke access if a session has been inactive too long. How is this done with auth0?

I was thinking of issuing a refresh token, and using that to renew the access token; the idea would be to forget the refresh token when done, and the access tokens will expire. Providing the effect I want. But, that leaves some refresh-token residue on the auth0 servers, which means they must be cleaned up by something.

I was hoping a re-authentication could happen in the background with getTokenSilently(), but I have been unable to imagine any situation which the runIFrame() call doesn’t fail: it always returns

{
    "error":"login_required",
    "error_description":"Login required",
    "state":"fAfla4VJTgK49KTLwTO6an2Y5KvCcPrB-cFnPObgdKc"
}

which makes sense because the /authorize endpoint expect the user to login. Which raises the question: What is getTokenSilently() even for?

Maybe the API server can verify the access token just once; establish a session; and then manage the access duration that way? If that’s the case, then I see no reason that access tokens should have a default lifespan of a whole day. Just a few minutes is more than enough.

Otherwise, I guess my SPA must save its state, and then travel off-page to re-authenticate?

Thank you

dan.woda · October 7, 2019, 9:36pm

Hi @klahnakoski,

A SPA should not have access to refresh tokens, as they are basically a credential and should not exist client side.

As for getTokenSilently, it works by checking if there is an existing session cookie with the authentication server. This is silent authentication and is described here:

If you are not experiencing that then there is likely an issue with your session and I would be happy to try and debug that with you.

The length of the session can be configured in your tenant. This feature may solve your original problem. Described here:

Just for clarification, access tokens are stateless, which means that cannot be revoked in the same way a stateful refresh token can be. The best defense for access tokens (if you are concerned about the security implications of a stateless token) would be a short lifetime. This can be configured in your API settings.

Hope this helps!

Thanks,
Dan

klahnakoski · October 8, 2019, 2:51pm

Thank you. I have confirmed it was the google account that did not allow silent authentication. When I used the auth0 username/passsword it worked fine.

dan.woda · October 8, 2019, 7:56pm

Glad it got worked out.

Thanks,
Dan

dan.woda · October 23, 2019, 7:59pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.