User Session Active after Token Expired

Overview

This article explains why users still have an active session after the token configured in Auth0 application settings has expired.

Applies To

  • Auth0 Authentication API
  • Access Tokens
  • ID Tokens
  • React Applications
  • Login Session Management

Cause

Solution

Token lifecycle management in Auth0 involves the creation, validation, and expiration of tokens used for authentication and authorization.

When an access token expires, if the Auth0 session is still valid (as configured in Settings > Advanced > Login Session Management), a new token is granted without requiring re-authentication

  • ID Token Expiration: The default expiration time for an ID token is typically 10 hours. This can be configured in the Auth0 Dashboard under application settings.
  • Access Token Expiration: By default, an access token for a custom API is valid for 24 hours. These expiration times can be adjusted in the API settings and application settings to meet specific requirements.

Users can continue receiving new tokens if their Auth0 session remains active, even if individual tokens have expired.

In React applications, developers can use the useAuth0 hook to retrieve and check the current ID token and API token expiration times using this code:

const { user, isAuthenticated, getIdTokenClaims, getAccessTokenSilently } =
    useAuth0();
  useEffect(() => {
    const getUserMetadata = async () => {
      const domain = yourDomain;
      try {
        const accessToken = await getAccessTokenSilently({
          authorizationParams: {
            audience: `https://${domain}/api/v2/`,
            scope: "read:test",
          },
        });
        console.log("access token api is :", accessToken);
      } catch (e) {
        console.log(e.message);
      }
    };
    getUserMetadata();
  }, [getAccessTokenSilently, user]);
  if (user) {
    async function getID() {
      try {
        const idToken = await getIdTokenClaims().then((value) => {
          return value;
        });
        console.log("id token from auth0:", idToken);
      } catch (err) {
        console.log(err);
      }
    }
    getID();
  }