Timeouts and Refresh Tokens

kindschuha · July 2, 2021, 5:26pm

I recently switched my app to use the auth0-spa-js package, so I can start using refresh tokens. Thought everything was going great, then I got onto my app a day later and had to login again. I realize I never set my configuration in the client to use refresh tokens so maybe just changing that will fix the issue. However, I’m trying to decrease my token timeouts, so I can start getting some unauthorized responses back from my API, and actually test that the refresh tokens are actually working.
Problem is I’m a little confused on all the different timeouts. I’ve set all my timeouts to 120 seconds, but I always seem to get a new token and call my API successfully.
I first tried reducing the timeout in my Application token settings, but no luck. That appears to change the expiration on my id token. So I think that makes sense since it is my auth token that gets sent to the API.
Next I tried reducing my API token timeout, and that appears to have changed the expiration on my auth token, but it just gets another one. So I was confused, but then I thought maybe it was because the Session was still active, so the auth code was still able to be used to get a new token using that, so I reduced my session timeout in the advanced settings, but I still get new tokens, I can’t break it when I want to.
I’m just hoping someone can help me figure out what I’m doing wrong. How can I shorten my timeouts to test what is happening in my application without waiting several hours.

Thank you!
Tony

thameera · July 7, 2021, 8:51am

Hi @kindschuha , since you are doing this in a SPA, I believe you are using rotating refresh tokens. There are two timeout settings that affect this:

The ones under “Refresh Token Expiration” in your application’s settings. These control how long a refresh token would be valid for. More info here: Configure Refresh Token Expiration
The tenant’s session lifetime settings. These control the user’s Auth0 session. More info here: Configure Session Lifetime Settings

If the refresh token is expired, the application will redirect the user to Auth0 to log in. If the Auth0 session is still active, they will be redirected back to the application automatically with new tokens, so you won’t easily notice that happening. If you actually want the user’s session to be shorter (so they have to log back in), you can change the session lifetime.

Does that help? If it’s still not clear, it’d help to know exactly what values you have for each, and what exactly your repro steps are.

kindschuha · July 8, 2021, 11:06pm

Thank you @thameera for the clarification. After you confirmed what I was thinking, I went back into the session settings and realized the timeout was in minutes, not seconds like the others. Thank you for your response!

konrad.sopala · July 9, 2021, 6:50am

No worries! We’re here for you!

system · July 24, 2021, 6:50am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Authorization Code with PKCE flow for SPA with Refresh Token and idle timeout Help sessions , rotating-refresh-tokens	4	84	August 29, 2024
How to extend Auth0 session cookie life time Help	4	5403	January 12, 2022
Various timeouts and expirations- please clarify Help auth0 , timeout , expiration	1	3196	June 30, 2020
SPA+API architecture with PKCE and refresh token Help	3	3306	September 9, 2020
Logout user once refresh token expires, instead of making call to /authorize endpoint to get new access and refreshtoken Help classic-universal-login-experience , login-experience	3	3938	February 16, 2023

Timeouts and Refresh Tokens

Related Topics