Access Token Timeout Issue

gary_r · May 6, 2023, 5:38pm

Hi,
I’m experimenting with Okta as an authentication provider for Kubernetes. In Terraform, I set the Access Token timeouts as follows:

access_token_lifetime_minutes = 6
refresh_token_lifetime_minutes = 10
refresh_token_window_minutes = 7

I expected that when a user logs in and is inactive for at most 10 minutes and then tries again to execute a Kubernetes query, he/she should be redirected to the Okta log-in page. But that is not what’s happening, if the user is inactive for 2 hours or more, only then are they redirected to the log-in page. Am I missing something here? Below is the rule and a screenshot of Okta admin page that shows the values are correctly set. Thanks!

resource “okta_auth_server_policy_rule” “auth_policy_rule” {
name = “AuthCode + PKCE”
auth_server_id = okta_auth_server.oidc_auth_server.id
policy_id = okta_auth_server_policy.auth_policy.id
priority = 1
grant_type_whitelist = [
“authorization_code”
]
scope_whitelist = [“*”]
group_whitelist = [“EVERYONE”]

access_token_lifetime_minutes = 6
refresh_token_lifetime_minutes = 10
refresh_token_window_minutes = 7
}

phi1ipp · May 6, 2023, 10:54pm

Are you sure that your UI application does not silently refresh access_token with Okta during those 2 hours?
You can check what is a user global session policy which establishes Okta session max lifetime

gary_r · May 7, 2023, 12:50am

Hi, and thanks for your response. The cline is Kubernetes kubectl (command line), it exhibits the same behavior even if the terminal is restarted so I doubt the client is sending token refresh requests.
I’m not familiar with the global session policy you mentioned, how do we check that? Thanks!

phi1ipp · May 7, 2023, 1:08am

I see the grant is authz code with PKCE. Is it really how kubectl obtains this token? Or is there any proxy/provider doing OAuth dance with Okta?

gary_r · May 7, 2023, 1:36am

It uses a plugin called kubelogin that manages OIDC communications on behalf of Kubernetes: kubelogin/usage.md at master · int128/kubelogin (github.com)

The only connection time-related setting it uses is called " ```
–authentication-timeout-sec

which really deals with the amount of time needed to connect to the OIDC through the browser, as the doc says it is 3 minutes. Thanks.

phi1ipp · May 7, 2023, 12:14pm

Gotcha. Always good to learn something new.

To be honest, I’d try to grab the access_token returned by Okta (if it’s visible in the console) and inspect it to see the expiration time (does it match your policy configured). If it does - then maybe something wrong is with the plugin. If it does not match - then dig inside Okta. Maybe you checking a wrong policy?

phi1ipp · May 7, 2023, 3:23pm

Check this article

gary_r · May 8, 2023, 12:20am

Thanks very much, I’l check it out. Thanks again for your help!