Auth0 Home Blog Docs

Setup a max expiration time for renew token with silent-authentification + TTL of login page

hosted-login-page
token-expiration
#1

Hi,

I try to set up correctly my app, but it seems I’m not setting up the right configuration field for the expiration time. So maybe someone can help me to put it on the right one.

I want after login the session of the user to be valid for 12hours, without renew via silent authentification.
What I have found and seems to work for this is in :

  • API / {my custom API} / Token expiration / Token Expiration For Browser Flows (Seconds)
    If I set this parameter when I use auth0-js .parseHash -> I get an expireAt value of 12Hours (fine)

Now I want the possibility for the user to do some silentAuthentification and renew the token (a new token of 12 Hours) but limit the time he can do that again and again to 30 Days.
Which configuration parameter should I change?

Also bonus question:

  • In API / {my custom API} / Token expiration / Token Expiration -> this parameter change expiration for which case?
  • On the login page (I’m using a custom login page implemented using auth0-js). auth0-js create a “state” to avoid some attacks, so after some time if you stay on the login page, this one is not valid anymore even if you enter good credentials => How to set up this time? What is the actual value (TTL of a login page)

Thanks