Ready to post? First, try searching for your answer.
In tenant advanced settings, we can adjust Idle Session Lifetime, described as:
Timeframe (in minutes) after which a user’s session will expire if they haven’t interacted with the Authorization Server
So after a user signs into an app, are there any actions that will keep extending the session lifetime? It doesn’t seem like calling getTokenSilently() does.
For testing, I have set Idle Session Lifetime to 3 minutes. Every 20s or so, if the user is actively using the app, I make a call to getTokenSilently(), which sends a request to auth0 (not every time, since it is cached, but at least a couple of times - I can see it in the network tab). However, if I refresh the tab after 3 minutes post-login, silent authentication subsequently ALWAYS fails, which means login is required once more.
Is this expected behaviour or am I likely doing something wrong?
Ideally, while a user is actively using one of our apps, if they then refresh the page, or open one of our apps in another tab, auth0 should silently authenticate them so they don’t need to sign in again interactively.
I am using the auth0-spa-js sdk, with useRefreshTokens enabled.
Thank you for posting your question. Are you able to link this behavior to any error you see in the Auth0 Dashboard, like Failed Silent Auth or Failed Exchange?
Interaction with the authorization server specifically refers to requests to /authorize, including silent authentication. Refresh token exchanges do not count as an interaction in this context. Therefore, the user session will not remain active if the only activity is refresh token exchanges.
To extend the session timeout, you’ll need to make a call to /authorize the endpoint with prompt=none.
I believe there’s no direct function for prompt=none call, but you can override the parameters on the Auth0 SPA JS calls to add this param to the call to the Authorization Server.