Session life time settings doesn't work correctly

Configure Session Lifetime Settings - using the following docs I set log out time to 1 minute

In result the token expiration date doesn’t change even after refetch of the token and it looks like this setting depends of this option:
. Can you explain how to log out user after 1 minute? And how does activity work? What is meant by user activity?

Hi @dabashin140504 , welcome to Auth0!

It will be easier to talk on this in context - what app type (SPA, regular web app, native, mobile) do you test sessions with? Do you use methods like silent authentication or refresh token rotation?

Activity in terms of interaction with your Auth0 tenant (an example would be requesting new tokens when a user refresh the page in case of SPA or a user requesting some protected API resources (registered in Auth0) which triggers sending a POST request to https://{yourDomain}/oauth/token to get new tokens).

I have the SPA project and main logic of auth0 (like sign up and recovery password) is implemented in BE. I have tried only solution from your docs about change alive token time in admin panel. I don’t know why Token alive time doesn’t work properly. Maybe you can give me the suggestion or something like that where and what I need to change to sign out user after 1? Because after change of life time to Token in admin of auth0 doesn’t help me

Can you help me with my issue please. So my question is: how I need to implement feature to log out user after 1 min of inactivity if I get Token from BE after log in and sign up? I have React application using react Query, in BE I use nestJS . How do I need to implement this feature? Maybe have you webhook for this point?

And I have the question: where can I get the status when user is inactivity? Because in the token we have decoveToken.exp property, but this property isn’t for inactivity time. Where can I track the user’s inactivity time, namely the state of this?

Hi @dabashin140504 !

Here are my reaserch results:

Users stay logged in irregardless of Login Session Management settings because of an auth cookie stored in browser, that is set after a user logged in. With an access to this cookie - user stays logged in and a local session persist. (My colleague explained it well in this topic)

Looking at our docs, the exp claim in the ID token can be used to determine when an app have to call the /logout endpoint.

The exp claim refers to the ID Token Expiration value and can be set set here:
Auth0 tenant → Applications → your SPA app → Settings → Id token → ID Token Expiration.

Please let us know if you have some questions on this!

We utilize the Auth0 API on our backend, ensuring that our frontend does not directly interact with Auth0. We are exploring the possibility of configuring parameters (refer to the attached screenshot) to identify user inactivity and subsequently sign them out of our application.

For instance, we are interested in determining if Auth0 can handle scenarios where there is no activity on the current-user endpoint or any other protected endpoint for a specified idle time period, say 15 minutes. If Auth0 supports this behavior, we would like guidance on where to configure this preference.

Hi @dabashin140504 !

Thank you for describing further your use case!

In case of backend scenarios, the cookie mechanism is also present and can be roughly described as in the screen below:

No direct feature for that, unfortunately.
What comes to my mind is the iat (“issued at”) claim which is also present in the access token.
I can see that in case of PKCE flow and the auth0 logic on the client side, each time I refresh the page or request protected API resources, new ID and access tokens are returned by Auth0 (without prompting a user for there credentials → cookies mechanism).

This way, based on the value of “iat” claim, you will know when the last activity took place to know when to call the /logout endpoint.

Have you had a chance to set up a test app (that satisfy your project architecture) and see if you can observe the same behaviour for the backend side auth0 logic?

Our quickstarts can be a good source for that.

Please let me know if I can assist you in follow up questions!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.