Clarify limits for checkSession method about auth0-spa-js HOT 7 CLOSED

Yeah, if you have an inactivity session limit set to 5 mins, and you want to be able to extend that session, I can see why you want to use cacheMode: off every 5 minutes.

In that case, you would hit the same limit as you'd with Auth0.js, yes.

To be honest, I am not sure where the 15min limit is coming from on the Auth0.js page you shared, but it most likely also depends on the tier you are using etc. If it would cause issues, I think you want to consider increasing the session time (but that's ofcourse not something I have any say in, just want to mention it)

from auth0-spa-js.

Thanks for reaching out. Can you elaborate what issues you encounter that made you look for this limitation?

checkSession works differently in Auth0-SPA-JS to how Auth0.JS works, more specifically we have internal mechanisms to not hit Auth0 when not needed, which are not part of Auth0.js. Therefore, we have no such limitation defined for checkSession in Auth0-SPA-JS, same goes for getTokenSilently.

However, we are ofcourse interested to learn from your use-case that made you look for these limitations.

from auth0-spa-js.

@frederikprijck thanks for your response!

We want to set a 5-minute inactivity timeout for Auth0 session. We use auth0-react (which uses auth0-spa-js internally) in our application.
To keep the session active while the app is open we were looking for methods that can keep the activity of the session.
We found these two methods getTokenSilently and checkSession in auth0-spa-js, but also encountered that the auth0.js docs mentioned 15-minutes rate limits.
As auth0-spa-js has a similar method checkSession, that uses getTokenSilently internally, we got confused about the limits

from auth0-spa-js.

As mentioned, both work differently. With Auth0-SPA-JS having its own cache, and doing less calls to auth0, it makes little sense to consider the same limitations, as they do not share those same limitations. Even more so, i would argue you can call checkSession as much as you need, our cache should ensure auth0 isn't called when not necessary.

Closing, feel free to open another issue if you need further assistance.

from auth0-spa-js.

Limits do not apply even if I call getTokenSilently in auth0-spa-js with { cacheMode: off } options?

from auth0-spa-js.

They do, but limits may vary depending whether or not you use refresh tokens, which isn't the case with auth0-spa-js.

However, cacheMode off isnt something you should need so often it would hit limits. Can you expand on your use case if you think it will hit the limits?

from auth0-spa-js.

@frederikprijck We have an inactivity session limit for the auth0 session of 5 mins.
When an SPA application tab is open, we would like to keep the session active. For this purpose, we need to request auth API at least every 5 minutes, so the session remains active. We found only one method to do that, using getTokenSilently method.

But we fear that we can encounter the 15 mins limit (as I said we want to call it each 5 mins).

*We don't use refresh tokens, we use authentication through an iframe

from auth0-spa-js.