We built a SPA that communicates with a micro-services API. I tried configuring the session to timeout every 30 minutes, so the user has to re-login every 30 minutes
I updated
Tenant Settings - Login Session Management
SPA - ID Token Expiration
API - Access Token Lifetime
It works.
I’m not sure if I have to configure all of the above, or if I can ignore some of them, or if in fact I missed some others.
Also, I noticed that the default expiration settings for sessions and tokens are quite long, I’m not sure what the best practice is, the longer the better?
I’ve checked our documentation regarding session management. If your main goal is to force the user to log in after the 30 minutes mark, Require Log in after in the Log in session Management setting will do the work. But having other pieces of flow that cover the same requirement reduces the chance of failure due to untested changes, etc.
Require log in after Timeframe (in minutes) after which a user will be required to log in again, regardless of their activity. Will be superseded by system limits if over 43,200 minutes (30 days) for Essential or Professional or 525,600 minutes (365 days) for enterprise plans.
I am not sure about this.
I configured the Session Lifetime and it only works when I refresh the page. However, even if it times out, I can still get the access token to trigger the microservices , it works until I set the access token lifetime to be the same as the session lifetime