I want to double check my understanding of how session idle timeout works.
Using the api.session.setIdleExpiresAt to expire in 15 minutes, my session is correctly terminated if the SPA app requests a new access token after 15 minutes.
However, from the user’s perspective, they have been busy interacting with the application using their access token that has a 1-hour lifespan. They would be surprised to learn they were logged out because they were inactive.
I can force interactions with the Auth Servier (Auth0) more frequently if I set the lifespan of the access token to 15 minutes, then the api.session.setIdleExpiresAt will run again presumably a few seconds before the expires time is reached and so the new token will be issued. But it is probably best to make the access token lifespan a safe age under 15 minutes.
For a 15 minute session idle time, does Auth0 recommend a 10 minute access token? This would ensure an active user would trigger an interaction with Auth0 before the 15 minute session expiration is reached. Is there concern that the traffic load on Auth0 would increase appreciably should a 10 minute access token become the norm?