Hi Auth0, I started using Auth0 for a toy project a couple of months ago with 5 or so users (just family). This was around the time when rotating refresh tokens were made available, so I chose to use that for my SPA (React). One by one users (including myself) have encountered an issue whereby a call to the token endpoint results in a 403 and an
Error: Unknown or invalid refresh token.
I have so far managed to resolve this by asking users to quite hackily, go into their local storage, and delete the key for the auth0SPA, which then allows them to perform a login. Today, I had the issue happen to me again, and upon looking at the refresh token’s expiry, I realised that it expired a couple of days ago. I then went into my SPA settings on the Auth0 portal, and saw that the lifetime of my refresh tokens is set to 30 days. So i’m now thinking that the 2 are related. I am aware that this can be extended to 3 months, and it’s what I will be doing.
- Am I correct in understanding that users MUST log in again at least once ever 3 months? I.e. there is no option whatsoever that a user is logged in ad infinitum. Again, I’m ok with this, and understand why it is so for security reasons.
- Should my code be the one deleting the Auth0SPA entry in my local storage? This makes little sense to me, since I believe the SPA.js library should be able to handle this by itself. What should my code be doing when the refresh token has expired?
EDIT: While I was reviewing the code, I noticed that I’m using
cacheLocation="localstorage" when creating my Auth0Provider. Upon removing this, I was unable to reproduce the issue. The reason I had chosen to specify the cacheLocation as localstorage, was because emitting this would result in the website not working on Safari. Is it possible that the library is not handling refresh token expiry correctly when cache location is localstorage?