Users getting logged out while active

Our goal is to log users out after 30 minutes of inactivity (in accordance with HITRUST) but let them stay logged in a for a long time if they are continuously active. We have set inactivity timeout to 30 minutes in the auth0 dashboard.

Using auth0-spa-js, we call getTokenSilently() every time the user makes a network request, clicks, or presses a key.

Based on the documentation at https://auth0.com/docs/libraries/auth0-single-page-app-sdk, calling getTokenSilently() should refresh the session. Instead, users are being logged out (“Login required” error from auth0 client) after 30 minutes even though we have called getTokenSilently() multiple times during that time period. Am I missing something here?

Hi @steven.broderick,

Welcome to the Community! To start with the obvious stuff, can you confirm your “Require Log In After” setting is something greater than 30 minutes? I’m guessing it is but again, best to get the obvious stuff out of the way.

Also, what is the lifetime of your ID token?

It seems like our problem was the ID Token Expiration, which was set to 30 minutes. We now have the following configuration which appears to work as expected:

  1. Application setting “ID Token Expiration” set to 36000 seconds (= 10 hrs). This was previously set to 1800 seconds (= 30 minutes).
  2. Tenant setting “Inactivity timeout” set to 30 minutes.
  3. Tenant setting “Require log in after” set to 10080 minutes (= 7 days).
  4. API setting “Token Expiration For Browser Flows (Seconds)” set to 1800 seconds (= 30 mins).

It seems to work in my testing so far. Do you see any problem with the above?

What you have there looks ok to me. As long as it meets your requirements / desired user experience. With those settings:

  • The user’s Auth0 session will expire after 30 minutes of inactivity,
  • The user’s Auth0 session will expire after 7 days even if active,
  • The ID token will expire in 10 hours (note the ID token will still be valid even after an idle user’s Auth0 session expires)
  • Access tokens will expire in 30 minutes

The only general recommendation I would make is to shorten the access token lifetime to 5 minutes, but even this depends on your requirements.