I’am new in auth0. I am having some issues to setup my architecture using auth0.
I am using:
- SPA - react app with auth0 hooks
- Golang server API + mysql database
- Universal login with lock
I defined my authentication config as following:
- PKCE with Log In Session Management
- Inactivity timeout == 1 minute, Require log in after == 2 minutes
- Application Tokens
- ID Token Expiration == 36000, token rotation enabled, Refresh Token Lifetime == 2592000 , Refresh Token Reuse Interval == 5
- API token settings
- Token Expiration == 900, Token Expiration For Browser Flows = 900
I know that the refresh token should be long and access token should be shorter, and I presume that the session should be shorter in this flow. Is it right?
The session is not preserved after refresh or across pages, I think that I should save the refresh token to request a new access token in this cases, right? If yes, How do I implement it?
About persisting refresh tokens on local storage, I found the cache argument for Auth0Provider (cacheLocation=“localstorage”), but it saves other sensitive data as well. Knowing that, should I code this save mechanism? Is there an option to pass it in getAccessTokenSilently ( from useAuth0) call?
I appreciate any help with this setup