Expire Auth0 session in backend

Hi! I’m trying to achieve a feature where the user gets logged out based on inactivity time.

I set the access token expiration very low and expected to see some kind of error in my requests after that amount of time had passed, yet I keep receiving responses with status 200 and the data I requested.

My auth0 configuration (to test this) looks like this:
Id_token expiration: 36000s
access_token expiration: 40s
refresh token absolute and inactivity expiration: 40s
rotation activated

Also, if I expire the id_token, graphQL throws an error on requests as expected, but this is not the case with the access token. However, I can’t achieve this feature invalidating the id_token since I can’t seem to expire the id_token based on inactivity.

Am I missing something about how 8base works with auth0? Or maybe a different strategy should be used?

Thanks!

Hello Diego!
We do not use access_token in 8base, cause there is our own authorization role-based engine.
So basically you can’t “sync” auth0 authorization with 8base, we provide only authentication with the help of id_token.

I can’t achieve this feature invalidating the id_token since I can’t seem to expire the id_token based on inactivity.

And how exactly do you track inactivity and why can’t you do just invalidate id_token except the access_token?

Hi Foma!

Thanks for your answer.

And how exactly do you track inactivity and why can’t you do just invalidate id_token except the access_token?

We are currently not tracking inactivity by ourselves. I meant that auth0 tracks the inactivity of the acces_token, and allows you to expire it based on their tracking. But this feature isn’t available for id_token.

So if I understand correctly, to implement some kind of session inactivity expiration, the way to go is to track inactivity in our application front end, and then expire the session based on our own tracking, right?

Ok, got you.
Yeah, it was my first thought after you mentioned ‘inactivity’… I’m not sure about this approach and best practices here, but I can ask our dev team. I’ll come back to you.

1 Like