@matt.macadam Thank you for the detailed explanation! Would you mind clarifying a few things?
Firstly:
- I DO need to support SSO on iOS with Refresh Tokens.
- I DO need to silently log out a user without requiring user confirmation of Apple’s dialog about shared cookies. (Basically, security – if Refresh Token is revoked, I cannot allow the user to acquire a new Refresh Token without requiring user to re-enter username/password.)
To solve this, you provided two options:
- Short Auth0 sessions – How do I configure that?
- Passing a calculated “max_age” to /authorize – How do I do that? I know how to edit the source code, but I don’t understand if you mean the
Cache-Control: max-age=<seconds>header or some non-standard header, or a custom property in the post-body, or something else.
Lastly, do I need to implement BOTH options for this to work, or just one?
Thank you!!!