I wanted to confirm if there was any way to keep a user’s Auth0 session active from a server. The only approach I have been able to find to keep a session alive is by calling the /authorize endpoint.
I am able to read the state of a user’s session by using the sid value from the id token created during the /token request and can see the time it was created and last updated. I was hoping I could use the refresh token returned in the same /token request to refresh the token and affect the updatedAt value in the user’s session, but it doesn’t seem to work that way.
We are sharing an Auth0 tenant across multiple applications and are using the Auth0 session cookies to manage authentication between the systems. However, the inactivity timeout is preventing a user from authenticating to another system even when they have been active in the platform.
We would like to avoid performing /authorize calls in the browser to keep the Auth0 session active because we have restore state after the redirects. Do you have a recommendation for handling this situation? If there is no server side solution, do you recommend making silent auth calls in the background to keep the user’s Auth0 session active?
That’s exactly correct - You’ll want to look into utilizing Silent Auth and/or Refresh Tokens. Are you using a specific Auth0 SDK to auth users? This functionality is handled by all SDKs where possible.
With respect to Refresh Tokens, will refreshing the user’s token affect the inactivity timeout? I called the /api/v2/sessions/{sessionId} API after doing a refresh, and the updatedAt value remained unchanged. It is possible I made a mistake though.
We are currently using the Auth0 NextJS library to coordinate the user auth.
This is expected behavior - Refreshing tokens doesn’t affect the authentication session (IDP/Auth0 Level). The following topic does a good job explaining this: