Sorry if this is a silly question, but I’m very new to this stuff and am not completely clear from reading the Auth0 docs. What I’m looking to do is to build a progressive web app (PWA). The PWA will contain a sensitive section which visitors can only access after logging in. I realise that the initial log-in needs to connect to the Auth0 APIs in order to authenticate, which requires that the visitor is online. However, what I’d like to do is include a ‘remember me’ checkbox with their log-in form, and if set, their log-in will be remembered even if the visitor goes offline.
So essentially the app needs to work such that after initial log-in the user could go offline and still access the sensitive section of the app.
Does Auth0 support this? If so, would it be implemented as JWT tokens - can they be used as a means of protecting certain pages of a site from being publicly accessible?
FInally are there any simple examples of this kind of thing?
This is just off the top of my head so I hope I got it right (and I hope I understood your Q):
Once the user is logged in, they remain “logged in” until they are explicitly logged out or until their SSO token expires. You can set the SSO expiry in your tenant settings with one caveat: there is a fixed 3 day inactivity timeout. SSO timeout > 3 days requires the user to be active at least once every 3 days.
Also, your application has its own token with its own expiry.
If the application token has expired, but the SSO token has not, the user will get a “You were logged in as a@b.c. Continue?”
If the SSO token has expired, the user will need to log back in.
If the SSO token has not expired, but the user has been inactive for 3 days, they will need to log back in.
Addendum: Beyond getting logged in, access control is mostly up to you. You can combine your own access control data (e.g., roles and/or groups in app_metadata) with rules in Auth0 + logic in your own app to control access to the various parts of your site.
That’s really interesting. Two counter-questions. My site will be using a custom .net back end and won’t integrate with any other services (no Google/Twitter login etc) so is the “SSO token” still the way the PWA will authenticate?
When someone opens the web app, say 1day after logging in, but they don’t have any internet connection this time, how does the app know whether their 3 day limit has been hit or not? Is that all handled in the Auth0 client-side script?
Ultimately I want to authenticate once then keep the user logged in for as long as possible whether they use the app online or offline.
Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!