Token expires for every 24hours in Google action Auth0 account linking

Hi

I know that topic already existed, but looking here:

https://community.auth0.com/t/id-token-expires-in-24-hours-regardless-of-token-expiration-settings/7090

https://community.auth0.com/t/google-action-auth0-account-linking-token-expires-for-every-24hours/37799

I can’t find the JWT Expiration field.

Even though I didn’t find the JWT Expiration field, I followed:

https://auth0.com/docs/dashboard/guides/apis/update-token-lifetime

I changed the value of the Token Expiration in:

-> Application> My Application> Settings> ID Token Expiration
-> APIs> Auth0 Management API> Settings> Token Expiration

And after 24h I have to re-login.

The project:

I have an application in Google Assistant for Smart Homes and I use Auth0 to log in to Google Assistant, everything works fine for 24 hours, after that Google Assistant stops finding my application, all users logged in less than 24 hours continue to function normally showing that my application is working and if I log in again to the user who lost access, everything will work perfectly. Looking at the Google Assistant log in GCP I have the messages below. According to Google support this is because the token has expired.

Google Could Platform Google Assistant Log Event

{
 insertId: "1q60lo7f1a0hhk"  
 logName: "projects/hometeste-4a254/logs/actions.googleapis.com%2Factions"  
 receiveTimestamp: "2020-04-08T11:56:01.286151774Z"  
 resource: {
  labels: {
   action_id: "SMART_HOME_EXECUTE"    
   project_id: "hometeste-4a254"    
   version_id: ""    
  }
  type: "assistant_action"   
 }
 severity: "ERROR"  
 textPayload: "requestId 17755351508421706782 failed with code: OPEN_AUTH_FAILURE"  
 timestamp: "2020-04-08T11:56:01.264824793Z"  
}

{
 insertId: "1q60lo7f1a0hhl"  
 logName: "projects/hometeste-4a254/logs/actions.googleapis.com%2Factions"  
 receiveTimestamp: "2020-04-08T11:56:01.286151774Z"  
 resource: {
  labels: {
   action_id: "SMART_HOME_EXECUTE"    
   project_id: "hometeste-4a254"    
   version_id: ""    
  }
  type: "assistant_action"   
 }
 severity: "ERROR"  
 textPayload: "requestId 17755351508421706782: Agent responded empty JSON."  
 timestamp: "2020-04-08T11:56:01.264827518Z"  
}

Hi @marcelo.arnaldi,

Thanks for reaching out.

I am a bit confused, but It sounds like you want your session to last longer than the expiry of the token, or you want a longer lived access token. There are ways to achieve both of these, but lets break it down a little bit first.

The expiration will be in the exp claim. If you can’t decode your jwt, it is likely because it is an opaque token. This means it is not meant to be consumed by anything outside of Auth0.

It would be helpful to know if you are talking about the access token, or the id token.

Is the ID token expiring, or the access token?

Are you requesting a management API token? Otherwise this setting will not have an effect. Management API tokens are not automatically requested, this is a seperate api than the authentication api.

I am not very familiar with this platform. How did you set up your application? is it a mobile app? did you use a quickstart or tutorial? Can you share how you are requesting the tokens?

Let me know, and we can go from there.
Dan

Hi @dan.woda

Sorry for the confusion, but for me the subject is very new and I’m very confused, I honestly don’t know what I need, but let’s go on, the story is long:

I developed the application based on this tutorial:

After everything was working, I found out that I have to change the fake token. That was when I first heard about OAuth2 and saw on Auth0 platform a simple solution without having to go into it.

I managed to adapt the routine to TypeScript and everything worked fine with Auth0:

When I found out that Google Assistant was unable to find my application after 24 hours and Google support said that this “probably” was an expired token problem.

Let’s go to application:

There is a project in Google Actions where I enter OAuth data:

In Google Assistant I find my application, login and everything works 100% for 24 hours.


But after 24 hours …

When I login my application receives the request and authenticates:

index.ts

import * as Auth from './auth-provider'
...
const expressApp = express ()
expressApp.use (cors ())
expressApp.use (morgan ('dev'))
expressApp.use (bodyParser.json ())
expressApp.use (bodyParser.urlencoded ({extended: true}))
expressApp.set ('trust proxy', 1)

Auth.registerAuthEndpoints (expressApp)
...

auth-provider.ts

...
export async function registerAuthEndpoints (expressApp: express.Express) {
  console.log ('>>>> auth-provider: registerAuthEndpoints')

  expressApp.get ('https://legooluskitsmart.auth0.com/authorize', async (req, res) => {
    const responseurl = util.format ('% s? code =% s & state =% s',
      decodeURIComponent (req.query.redirect_uri), 'xxxxxx',
      req.query.state)
    return res.redirect (responseurl)
  })

  expressApp.all ('https://legooluskitsmart.auth0.com/oauth/token', async (req, res) => {
    const grantType = req.query.grant_type
      ? req.query.grant_type: req.body.grant_type
    console.log (`Grant type $ {grantType}`)
  })

Hi @dan.woda,

This is my problem! “There is something wrong in paradise”, apparently Google has a flaw. See the “sskorol” answer!

I’m following what he suggests, I changed the scope in Google Actions including offline_access, now my application is “Under Review”, let’s see how long Google will take to approve.

In the meantime, I put my API “https://legooluskitsmart.auth0.com/api/v2/” in Tenant Settings-> Default Audience, but I don’t know what to put in the Default Directory field, could you help me?

I am not sure about this one…I can give you some advice though.

This could be potentially hazardous. You are requesting a management API token with every single request. Depending on what permissions they are given, they could do everything a dashboard admin can do. If you are using other apps in this tenant this could certainly cause issues and you will want to be cautious.

They also mention:

play with refresh token timeouts on Auth0 API level to check if everything works as expected.

Refresh tokens at Auth0 don’t expire, so I am not sure what this means.

I would say play around with it and let us know what you get working.

Hi @dan.woda,

I understand, but what other solution do you think? I’ve tried everything.

With this solution I am connected for more than 48 hours without problems.

I’m not sure I would do this in a production tenant without a thorough review, but if you are just doing it for a small personal project it is obviously less of a risk.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.