Access Token Timeout Issue

I’m experimenting with Okta as an authentication provider for Kubernetes. In Terraform, I set the Access Token timeouts as follows:

access_token_lifetime_minutes = 6
refresh_token_lifetime_minutes = 10
refresh_token_window_minutes = 7

I expected that when a user logs in and is inactive for at most 10 minutes and then tries again to execute a Kubernetes query, he/she should be redirected to the Okta log-in page. But that is not what’s happening, if the user is inactive for 2 hours or more, only then are they redirected to the log-in page. Am I missing something here? Below is the rule and a screenshot of Okta admin page that shows the values are correctly set. Thanks!

resource “okta_auth_server_policy_rule” “auth_policy_rule” {
name = “AuthCode + PKCE”
auth_server_id =
policy_id =
priority = 1
grant_type_whitelist = [
scope_whitelist = [“*”]
group_whitelist = [“EVERYONE”]

access_token_lifetime_minutes = 6
refresh_token_lifetime_minutes = 10
refresh_token_window_minutes = 7


  1. Are you sure that your UI application does not silently refresh access_token with Okta during those 2 hours?
  2. You can check what is a user global session policy which establishes Okta session max lifetime
1 Like

Hi, and thanks for your response. The cline is Kubernetes kubectl (command line), it exhibits the same behavior even if the terminal is restarted so I doubt the client is sending token refresh requests.
I’m not familiar with the global session policy you mentioned, how do we check that? Thanks!

I see the grant is authz code with PKCE. Is it really how kubectl obtains this token? Or is there any proxy/provider doing OAuth dance with Okta?

It uses a plugin called kubelogin that manages OIDC communications on behalf of Kubernetes: kubelogin/ at master · int128/kubelogin (

The only connection time-related setting it uses is called " ```

which really deals with the amount of time needed to connect to the OIDC through the browser, as the doc says it is 3 minutes. Thanks.
1 Like

Gotcha. Always good to learn something new.

To be honest, I’d try to grab the access_token returned by Okta (if it’s visible in the console) and inspect it to see the expiration time (does it match your policy configured). If it does - then maybe something wrong is with the plugin. If it does not match - then dig inside Okta. Maybe you checking a wrong policy?

Check this article

Thanks very much, I’l check it out. Thanks again for your help!