We have an angular 16 application using auth0-angular SDK (version 2.1.0) to integrate Auth0. The AuthModule has the below configuration:
And we have set the Refresh Token Expiration as below just for testing purposes.
Issue We see that the initial login stores access token, refresh token in local storage. But if we leave the application idle for 2 mins and then do an action that makes API call, the app throws “Unknown or invalid refresh token”.
From Authorization Server’s perspective, we are sending an expired refresh token and the error makes sense. But, are we supposed to handle this error and redirect the user to login page or the auth0-angular library is supposed to help us with that (not sure if I am missing some configuration to enable that)?
Another observation is that this happens only when we use “useRefreshTokens: true” in AuthModule.forRoot(). When we have only offline_access added in scope without useRefreshToken: true, it doesn’t throw the error but it also doesn’t ask the user to re-login after refresh token is expired (after 2 mins in my test). It just gets a new refresh token and continues.
Is this the expected behaviour?