We have Auth0 set up with their Lock widget v11 using Implicit Flow in our SPA. We have JWT expiration set to 15 minutes in the Application settings in Auth0 admin portal and we use Silent Authentication in our web app to get a new token periodically.
That flow is working fine and the tokens expire as they should. Our issue is with the userinfo endpoint. The Auth0 Lock widget is doing XHR requests to the userinfo endpoint internally. During a security screening it was discovered that if such a request is recorded by us and then requested again in Postman several hours later the endpoint still responds with user details such as name and email. The bearer token sent in that request is not the same as the one issued with the 15 min expiration time.
This is a security issue for us since it is possible to get basic user info long after the user chose to log out.
In the Auth0 admin portal I have tried setting "Inactivity timeout"/"Require log in after" under Tenant Settings > Advanced to 1 minute. I also tried lowering "JWT expiration" under Application settings. None of these settings is affecting the userinfo request which still responds with user details.
Example of a request to the userinfo endpoint:
GET https://<tenant>.eu.auth0.com/userinfo
Request headers:
Authorization:Bearer <some token with length of 32>
Example of the response:
{
"sub": "auth0|xxxxxxxxxxxxxxxxxx",
"nickname": "John",
"name": "John Doe",
"picture": "xxxxxxxxxxxx",
"updated_at": "2019-08-29T12:32:39.352Z",
"email": "user@example.com",
"email_verified": true
}
Is there any setting that governs the expiration of the bearer token sent to userinfo? Should it not have the same expiration as the application JWT expiration setting?
Unfortunately that token expiration is set for the endpoint and cannot be changed. This doc provides an answer.