Angular App: User was not getting automatically logged out even after expiring idle session time (from global session policy)

Questions
1

Hi Team,

We are trying to implement auto logout with the help of idle session timeout from global session policy.

The "Expire session after user has been idle on Okta for" was set to 15 minutes. From client side application we have ensured to have no user interaction once the user is logs in. Auto renew was set to false in order to prevent automatic token requests. Even after completing the idle timeout, the user was still logged in.

we were not able to identify any events getting triggered at the time of idle session timeout. Could you please let us know why the user was not logged out even after idle session timeout?

Please find the configuration used while testing the above scenario

  1. Access token lifetime is: 5 minutes
  2. Expire session after user has been idle on Okta for: 8 minutes
  3. Refresh token lifetime is: 10 minutes
  4. Refresh token expire if not used every: 10 minutes
  5. Maximum Okta session lifetime: 15 minutes
2

Hey there @Anugrah_SR !

Can you provide a little more info about your setup? Specifically, are you using the Okta-hosted redirect login, embedded sign-in widget, custom login, or something else? Are you using @okta/okta-angular and @okta/okta-auth-js SDKs?

3

Hi @alisaduncan,

The user logs in to the application through the embedded sign-in widget, and we are using the following packages.

  1. @okta/okta-angular: version - 6.2.0
  2. @okta/okta-auth-js: version - 7.4.2
  3. @okta/okta-signin-widget: version - 7.11.1

Please let us know if more information is needed.

Many Thanks,

4

Hi @alisaduncan ,

It would be great if you could provide some updates on the query. Please let me know if you need any further information from me. I appreciate your time and consideration.

Many Thanks,

5

Is the refresh token still valid after the userā€™s Okta session has expired? Based on your description, I would expect the following:

  • Start
    • User logs into Okta: new Okta session created, will expire in 8min
    • Access token (expires in 5min) and refresh token issued (expires in 10min)
  • +5 minutes
    • Access token has expired. Our Angular SDK will automatically renew tokens for you
      • new Access token (expires in 5min) and refresh token issued (expires in 5min)
    • Okta session expires in 10 minutes (unchanged, as Okta session was not for the refresh)
  • +8 minutes
    • Okta session has expired
    • User remains logged into application as application session is still valid (access token is valid for 2 more minutes, refresh token for 7min)
  • +10 minutes
    • Access token has expired. Our Angular SDK will automatically renew tokens for you
    • new Access token (expires in 5min) and refresh token issued (expires in 0min)
  • +15 minutes
    • Access token has expired. Refresh token is also expired. Angular app will redirect user back to Okta to login.

^^ is this the sequence you see occurring? Do you still see additional renewals after this point? If so, what do you see when you introspect the refresh token?

Since you set the refresh token lifetime to a max of 10minutes, a new /authorize request would need to occur in order for the user to remain logged into your application after the 10minute mark. This could be completed by the SDK itself (within a hidden iframe). Do you see /token requests every 5 minutes (aka, when your access token expires)? Do you ever see another /authorize request? If so, what does it look like (e.g. does it have prompt=none attached and response_mode=okta_post_message)?

1 Like
6

Hello @andrea

Please have a look into our observation which is given below

  • Start

    • User logs into Okta: new Okta session created, will expire in 8min
    • Access token (expires in 5min) and refresh token issued (expires in 10min)

  • +5 minutes

    • Access token has expired. Automatic token renew was set to false using the configuration tokenManager: { autoRenew: false }

      • Automatic token renew was not triggered

    • Okta session expires in 10 minutes (unchanged, as Okta session was not for the refresh)

  • +8 minutes

    • Okta session has expired

  • +9 minutes

    • A token renew request was triggered by invoking tokenManager.renew('refreshToken) method
      • new access token was received,

I was not expecting the last token request (at +9 minutes) to success since the Okta session was supposed to expire at the 8th minute. Trying to understand what could have caused this behavior or is this an expected behavior?

Many Thanks

7

The access and refresh token lifetimes are separate from the Okta session lifetime. Even if the Okta session has expired, as long as the userā€™s tokens are still active, they will remain logged into the application.

8

Thank you @andrea for the details,

like you have mentioned ā€˜access and refresh token lifetimes are separate from the Okta session lifetimeā€™, does the ā€œkeep me signed inā€ or ā€œremember meā€ setting have any impact on refresh token and access token lifetime.? If so how would the token expiry change if user select ā€œkeep me singedā€ option while logging in (using widget).?

Also it would be great if you could share some configuration if any, that can be used to manage application idle timeout. Our intention is to have the user automatically log out after a specific period of inactivity. We expect that specific idle time value be some settings on Okta.

9

Nope, neither of those settings will affect the token lifetimes.

I donā€™t know of us having any specific guidance about application idle timeouts, but, in general, if you want to completely log a user you, you will want to

  • Revoke the userā€™s access and refresh tokens
  • Clear the tokens from your application & ensure this clears your userā€™s application session
  • Use the /logout endpoint to end the userā€™s Okta session