Hi
We are seeing the Re-authenticating... banner after about 15 mins. It looks like the session has expired. How can renew the session so that the banner goes away. Is there any SDK command can be used to extend the session?
Thanks
Harshad
Hi
We are seeing the Re-authenticating... banner after about 15 mins. It looks like the session has expired. How can renew the session so that the banner goes away. Is there any SDK command can be used to extend the session?
Thanks
Harshad
Hi,
It looks like a refresh token issue.
Refresh token is there to do the balance between security and user experience.
Either it is not generated, or if generated, it is matching the JWT lifetime.
You should check how the authentication request is performed.
Is there a scope with offline_access mode requested when authenticating ?
(this can be checked in the inspect mode of the browser when issuing /authorization request.
Look at the URL query parameters).
If not, just add it. This should extend the session lifetime to 24 hours and avoid re-authenticating too often.
If you cannot add it (or not allowed to), then you may extend the tokens lifetime in your IDP.
Refresh token lifetime will be mapped to the access token lifetime if this one is greater than 15 minutes.
Regards,
V.P.
Thanks @vpirat for the reply.
If we add offline_access to avoid the issue, can we then use the Auth.refreshToken command to refresh the token (e.g. every 5 min) to refresh the current token?
Also, by calling the Auth.refreshToken command, does it invalidate the current token? Can you confirm this for me?
Thanks
Hi,
1/ yes, you could request to refresh the token but you should consider if that makes sense or not.
Refreshing the JWT is only required when you need to do something (ie. logout or configure a user session). Those commands require a valid JWT (which gives you permission to do something on the Api).
So when configuring a new user session, you need it to perform the action, but once done, your session remains available until the refresh token expires itself. When the refresh token expires, authentication process is required again.
So while theoretically you can ask for a refresh of a JWT at any time, do it only when you need it.
2/ You can refresh only the current expired JWT.
Trying to refresh a JWT not expired will give you back the current (valid) one.
To sum-up:
Hope this helps,
Regards,
V.P.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.