Regarding to this post: Inactivity Expiration with Refresh Token
I think we’re trying to achieve the same thing. When user close the tab or browser, we are trying to force him to login again if 5 minutes have passed since closing.
Our current settings:
Expiration token 2 mins
Refresh Token Rotation 5 mins
Refresh Token Absolute Expiration 24 hours
Refresh Expiration Token 5 mins
Session Cookie Mode: Persistent Session
Session Inactivity timeout 5 mins
Session Require log in after 7 days
Unfortunetly, after 5 mins we still able to log in with silent auth.
From the description of Refresh Token Expiration and Session Inactivity timeout, it follows that if there was no activities at that time, the token should be invalid.
What are we missing?
Why we still login with silent auth?
What did these settings change if our token is active all the time?
*Our application is behind an AWS ALB which redirects to Auth0 for authentication when needed.