Our goal is to log users out after 30 minutes of inactivity (in accordance with HITRUST) but let them stay logged in a for a long time if they are continuously active. We have set inactivity timeout to 30 minutes in the auth0 dashboard.
Using auth0-spa-js, we call getTokenSilently() every time the user makes a network request, clicks, or presses a key.
Based on the documentation at Auth0 Single Page App SDK, calling getTokenSilently() should refresh the session. Instead, users are being logged out (“Login required” error from auth0 client) after 30 minutes even though we have called getTokenSilently() multiple times during that time period. Am I missing something here?
Welcome to the Community! To start with the obvious stuff, can you confirm your “Require Log In After” setting is something greater than 30 minutes? I’m guessing it is but again, best to get the obvious stuff out of the way.
It seems like our problem was the ID Token Expiration, which was set to 30 minutes. We now have the following configuration which appears to work as expected:
Application setting “ID Token Expiration” set to 36000 seconds (= 10 hrs). This was previously set to 1800 seconds (= 30 minutes).
Tenant setting “Inactivity timeout” set to 30 minutes.
Tenant setting “Require log in after” set to 10080 minutes (= 7 days).
API setting “Token Expiration For Browser Flows (Seconds)” set to 1800 seconds (= 30 mins).
It seems to work in my testing so far. Do you see any problem with the above?