Access Token vs Session Expire Time

Hi, I have integrated the embedded Okta Sign in Widget into my SPA. and I have this logic in my login component to redirect to home page if user is authenticated:

if (authState.isAuthenticated) {
    return (<OktaSignInWidget onSuccess={onSuccess} onError={onError}/>);

I see that upon login success, my local storage will have info about iDToken and AccessToken with an expire time an hour later after log in. But when I try to visit my login page after the expire time of the tokens, I’m still able to redirect to my home page as if I am authenticated.

So posting here to try to understand how this works? why does the access token auto renewed?

How do I prevent auto renew of the token, and force user to login again every > 24hours after the previous login?

By default okta-auth-js will return true for isAuthenticated() if the TokenManager contains tokens that have not expired.
Access to the Okta dashboard is not dependent on these tokens, but rather a session cookie that is set for your Okta domain or custom domain URL.
(Note there is differences how this is done depending if you are using an Okta classic or an Okta Idx Org)

I assume the authentication policy your user authenticated against in your Okta Org has a session lifetime longer then 1 hour. This is configurable all the way down to 5 minutes.

Refreshing tokens from the Okta frontend SDKs can either be done by relying on an existing valid Okta session (session cookie), or using a refresh token (the recommended approach).

1 Like

Hi Erik! Thank you so much for the quick response. Our org is using Okta classic. Could you elaborate on or provide more resource about how the session cookie is set in this case?

Our application is in a state where server side is responsible for the routing logic [which depends on the okta authentication context], and since I’m building the SPA with sign in widget in the frontend [React], the server side does not have all the packaged functions like useOktaAuth() to gain the session expiration information.

My initial thought was to pass the access token [and only access token, to avoid attackers manipulating information by intercepting the request, like session expire time/ or user role] back to server side upon login, and use it to call /introspect endpoint to both validate the authentication and get the session expiration time. But it seems like token expiration is different from what you have mentioned above.

So is there a way I could access the session cookies expire time on the server side?