Hey Auth0 folk,
Is there an easy way (I know I could always write my own shim layer in front of Auth0 to do it) to make JWTs in SPAs act as a limited sort of refresh token? I know that having a separate long-lived refresh token is a big security issue in an SPA, but I figured a short-lived token that respects inactivity restrictions would be more secure.
More concretely, we may have users who have third-party cookies disabled (preventing silent auth from working). We want users to be logged out after an inactive time of 1hr and force a re-login after 16 hrs regardless of activity. I’m imagining a scenario in which our JWTs have a 1hr expiration, and there’s an Auth0 endpoint that the app can hit and provide an active JWT to get a new JWT back and extend the length of the session by another hour, but not beyond the max length of 16 hrs. This would be more secure than just making JWTs last 16 hours, since it would take inactivity into account.
I see lots of other people asking similar questions (http://community.auth0.com/search?q=refresh%20spa), but I didn’t find any that took the third-party cookies disabled scenario into account.