I just had a user report to me that they were not prompted their password since logging in three days ago. I looked in the logs and found Success Exchange
and Sucess Login
events for them this morning. Was the user not prompted for their password because of the long length of the absolute expiration date of the refresh token on the application?
Hi @dfleming,
Thanks for reaching out to the Auth0 Community!
First, let me clarify that the Token Length should not have any effect on the user not being prompted to provide their credentials to log in.
The Success Exchange
and Success Login
logs you mentioned suggest to me that the user must have logged in without being prompted for their credentials by successfully exchanging a Refresh Token for an Access Token.
To be sure, could you please confirm if the description of your Success Exchange
logs states “Successful exchange of Refresh Token for Access Token”?
(Reference: Log Event Type Codes)
If so, then the Absolute Expiration of the Refresh Token in your Application settings, and the Inactivity timeout and Require log in after in your tenant settings are responsible for keeping the user logged in without interaction.
Because of this, I recommend checking these settings and selecting an expiration value that fits your needs.
Reference Materials:
Please let me know if you have any questions.
Thanks,
Rueben
Actually it appears as if the login type is of seacft
Hi @dfleming,
Thank you for your response.
The seacft
log event type code refers to a “Successful exchange of authorization code for Access Token”
(Reference: Log Event Type Codes)
This is where you take the code returned from calling the /authorize
endpoint and pass it to the /oauth/token
endpoint to exchange it for an access token. For example:
curl --request POST \
--url 'https://{yourDomain}/oauth/token' \
--header 'content-type: application/x-www-form-urlencoded' \
--data grant_type=authorization_code \
--data 'client_id={yourClientId}' \
--data 'client_secret={yourClientSecret}' \
--data 'code=yourAuthorizationCode}' \
--data 'redirect_uri={https://yourApp/callback}'
(Reference: Call Your API Using the Authorization Code Flow)
Moreover, the user could automatically be logged in if their session is still active. By default, the Login Session Management settings have the Inactivity timeout at 3 days, and the Require login after at 7 days.
With that, I recommend adjusting these settings on your Auth0 Dashboard > Settings > Advanced > Login Session Management to your preference.
Please let me know how this goes for you.
Thanks,
Rueben
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.