Session not extended by token exchange

edwindwalker · November 26, 2024, 7:44pm

I’m trying to implement an inactivity timer for my React SPA using the approach suggested here: Session Lifetime Limits. As I have implemented it, the timer will be (re-)set each time the user obtains a new token. (That is my interpretation of the following sentence: “Each time a token is returned to the application, reset the timer.”) I am using refresh tokens, so a new access token is regularly generated through a request to the /oauth/token endpoint. Through some preliminary testing I’ve determined that the session is not being extended by this action. That is, calling getAccessTokenSilently() will throw an error with message Login required after the idle session lifetime has passed. This seems to conflict with the idea of the user being “inactive” or “idle”.

Client settings:

{
    "refresh_token": {
        "expiration_type": "expiring",
        "leeway": 3600,
        "token_lifetime": 3600,
        "idle_token_lifetime": 3500,
        "infinite_token_lifetime": false,
        "infinite_idle_token_lifetime": false,
        "rotation_type": "rotating"
    }
}

Tenant settings:

{
    "idle_session_lifetime": 1,
    "session_lifetime": 168
}

rueben.tiow · November 26, 2024, 11:03pm

Hi @edwindwalker,

I recommend referring to our Inactivity Timeout and Refresh Token Exchanges knowledge articles, which address the issue of using refresh tokens.

You may also find our Session Management - Login Issues and Staying Logged In knowledge article helpful.

Let me know if you have any follow-up questions.

Thanks,
Rueben

edwindwalker · November 27, 2024, 10:58am

I have reconfigured my Auth0Provider to not use refresh tokens and, despite regular calls to the /authorize endpoint, after 60 minutes I am redirected to the login page. I do not have to re-enter my details. The following error is being thrown:

rueben.tiow · December 4, 2024, 12:19am

Hi @edwindwalker,

Thanks for the update.

Since you are using a React SPA, you should use silent authentication to extend the user’s session without requiring user interaction. Refresh tokens are typically designed for regular web applications, as noted in this documentation.

Thanks,
Rueben

system · December 18, 2024, 12:20am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Check session without extending it - NEED AN ACTUAL SOLUTION Help sessions , reusable-refresh-tokens	1	1283	November 10, 2023
Urgent Help Needed - Issue with Auth0 Inactivity Time Not Working in React App Help sessions , authentication-sessions	2	1603	June 16, 2023
Which Authorization Server interactions affect Session Lifetime? Help sessions , authentication-sessions	7	31	December 2, 2024
How to extend user session and API access token while user is active? Help sessions , authentication-sessions	0	1371	February 14, 2023
Inactivity Timeout and Refresh Token Exchanges Knowledge Articles session-lifetime-limits	1	310	May 23, 2024

Session not extended by token exchange

Related topics