Concepts
Access Token: Expires after 1 hour of inactivity
ID Token: Expires after 1 hour of inactivity
Refresh Token: Valid for 30 days
Session Lock Behavior
Sessions are NOT locked after a specific idle time - instead, they expire based on token validity:
After 1 hour: Access and ID tokens expire, requiring a refresh
After 30 days: Refresh token expires, requiring full re-authentication
How the Refresh Logic Works
The session refresh dialog appears when:
2 minutes before expiry (58 minutes of activity): System attempts background refresh
1 minute before expiry (59 minutes of activity): Shows dialog if background refresh failed
At expiry (60 minutes): User is logged out if no refresh occurred
Key Points
No traditional "idle timeout" - sessions expire based on token age, not user inactivity
1-hour token lifetime means users need to refresh every hour regardless of activity level
Background refresh attempts to extend the session transparently
Dialog appears only when background refresh fails and session is about to expire
This explains why active users still see the refresh dialog - it's not about idle time, but about the 1-hour token expiration cycle that affects all users regardless of their activity level.