Using the PHP SDK, is it necessary to check for refresh tokens?

I’m using Auth0’s PHP SDK to add social sign in to my website.

The quick start guide is helpful but it doesn’t mention refresh tokens at all.

As per the guide, I am using $auth0->getCredentials() !== null to verify that the user is logged in before they can access any protected areas of the site.

Some questions:

  1. At some point, I assume the user’s session (token?) will expire. What happens when this occurs? Will $auth0->getCredentials() simply return null or will some kind of error be thrown?

  2. When this happens, how should it be handled? Can the SDK automatically refresh the token without interaction from the user, or must the user log in again themselves?

  3. How can I test the above? Is there a way to force a token to expire so it needs to be refreshed, or can I change the token expiry timeout to be very short (e.g. 1 minute) for testing purposes?

Hi @irridium :wave:

To answer your first and second questions: yes, your application should check if a session/token has expired, and in cases where a refresh token is available, you can optionally fresh it using the renew() method without user interaction. Note that this will only work if you authenticated the end user with the offline_access role.

An example of token refresh is provided in the EXAMPLES.md file.

To answer your final question, inside your application’s settings tab scroll down until you find the “ID Token” section. You can change the expiration value in this section to a time you’d like to work with.

1 Like