Which Authorization Server interactions affect Session Lifetime?

Ready to post? :mag: First, try searching for your answer.
In tenant advanced settings, we can adjust Idle Session Lifetime, described as:

Timeframe (in minutes) after which a user’s session will expire if they haven’t interacted with the Authorization Server

So after a user signs into an app, are there any actions that will keep extending the session lifetime? It doesn’t seem like calling getTokenSilently() does.

For testing, I have set Idle Session Lifetime to 3 minutes. Every 20s or so, if the user is actively using the app, I make a call to getTokenSilently(), which sends a request to auth0 (not every time, since it is cached, but at least a couple of times - I can see it in the network tab). However, if I refresh the tab after 3 minutes post-login, silent authentication subsequently ALWAYS fails, which means login is required once more.

Is this expected behaviour or am I likely doing something wrong?

Ideally, while a user is actively using one of our apps, if they then refresh the page, or open one of our apps in another tab, auth0 should silently authenticate them so they don’t need to sign in again interactively.

I am using the auth0-spa-js sdk, with useRefreshTokens enabled.

Hi @daniel.loiterton,

Welcome back to the Auth0 Community!

Thank you for posting your question. Are you able to link this behavior to any error you see in the Auth0 Dashboard, like Failed Silent Auth or Failed Exchange?

Thanks
Dawid

Hi Dawid, yes I see Failed Silent Auth: Login required errors in the dashboard logs under these circumstances.

To expand on the above scenario:

Silent auth succeeds if:

  1. I refresh the page (or open the app in another tab) within 3 minutes of signing in
  2. I continue refreshing (or opening tabs) at intervals shorter than 3 minutes

But silent auth fails 3 minutes after this, even if I have subsequently refreshed the tokens with getTokenSilently

Hi @daniel.loiterton

Thank you for the additional information. Based on this knowledge article → Inactivity Timeout and Refresh Token Exchanges

Interaction with the authorization server specifically refers to requests to /authorize, including silent authentication. Refresh token exchanges do not count as an interaction in this context. Therefore, the user session will not remain active if the only activity is refresh token exchanges.

To extend the session timeout, you’ll need to make a call to /authorize the endpoint with prompt=none.

Thanks
Dawid

1 Like

Great, thank you for clarifying. I was starting to come to that conclusion too.

Do you know if there is a function in the sdk that makes that particular call to the /authorize endpoint with prompt=none?

Hi @daniel.loiterton

I believe there’s no direct function for prompt=none call, but you can override the parameters on the Auth0 SPA JS calls to add this param to the call to the Authorization Server.

Thanks
Dawid

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.