We’re seeing users get disconnected after roughly one hour, even though we use refresh tokens every 10 minutes.
To meet security standards, we enabled refresh token rotation.
Our assumption was that refresh tokens could renew the access token (session) indefinitely. However, this doesn’t seem to be the case given our application settings:
Maximum ID token lifetime: 3600 seconds
Idle refresh token lifetime: 900 seconds
Maximum refresh token lifetime: 3600 seconds
Our hypothesis is that the session expires after 3600 seconds (the maximum refresh token lifetime), even if we continuously rotate and refresh the token.
Are we missing something, or is this understanding correct?
If so, setting the maximum refresh token lifetime to 31,557,600 seconds (1 year) on a device that stays continuously connected would effectively allow a one‑year session without requiring the user to log in again.
You are correct. With Refresh Token Rotation, the Maximum Refresh Token Lifetime is an absolute cap for the entire refresh token family. Once that limit is reached, the family can’t be used to get new tokens, even if you’ve been rotating regularly. Rotation helps with security, but it doesn’t extend the absolute lifetime. https://auth0.com/docs/secure/tokens/refresh-tokens/configure-refresh-token-expiration
If you raise the Maximum Refresh Token Lifetime (up to 31,557,600s = 1 year) and keep rotating before the idle window elapses, users can continue exchanging RTs for new ATs without re-logging in until that absolute limit is reached.