We are a startup company developing a mobile app, and so far we are very satisfied with Auth0.
However, one limitation seems a bit odd.
The session life time for none-enterprise plans is Max 3 days, which is very limiting. Mobile apps are not necessarily used every day, and the need to authenticate each time might prevent users to use the app on the long run.
Is there any plan to change it? Is there maybe a way we can extend these limits without having to purchase the Enterprise edition? We really like Auth0 and want it to grow with us.
Refresh tokens don’t expire, they’re used to retrieve a new access token. They don’t rely on an active session. So, the session expiration doesn’t matter in an OAuth Refresh Token OAuth Grant.
No, SPA aren’t secure clients, so refresh tokens can’t be used there. SPA and the silent authentication do rely on the user session; as opposed to the refresh token grant type.