I recently switched my app to use the auth0-spa-js package, so I can start using refresh tokens. Thought everything was going great, then I got onto my app a day later and had to login again. I realize I never set my configuration in the client to use refresh tokens so maybe just changing that will fix the issue. However, I’m trying to decrease my token timeouts, so I can start getting some unauthorized responses back from my API, and actually test that the refresh tokens are actually working.
Problem is I’m a little confused on all the different timeouts. I’ve set all my timeouts to 120 seconds, but I always seem to get a new token and call my API successfully.
I first tried reducing the timeout in my Application token settings, but no luck. That appears to change the expiration on my id token. So I think that makes sense since it is my auth token that gets sent to the API.
Next I tried reducing my API token timeout, and that appears to have changed the expiration on my auth token, but it just gets another one. So I was confused, but then I thought maybe it was because the Session was still active, so the auth code was still able to be used to get a new token using that, so I reduced my session timeout in the advanced settings, but I still get new tokens, I can’t break it when I want to.
I’m just hoping someone can help me figure out what I’m doing wrong. How can I shorten my timeouts to test what is happening in my application without waiting several hours.