Perhaps I’m missing something here or not using the libraries correctly, but it seems as if the Okta libs for OWIN / .net ( https://github.com/okta/okta-aspnet )
don’t have any provision for checking / managing session expiration due to inactivity and/or Okta refresh tokens.
I’ve set it all up, and it’s working great with the OAuth flow. I get the token back, and it has an expiration time of 1 hour - which the Okta-aspnet dll correctly puts into the claims cookie. …and then it seems as if it totally ignores it and my session stays logged in to my site apparently indefinitely.
I wrote my own little plugin to the Owin pipeline that checks the claim and see if the expiration is pastdue, and if so, returns a “forbidden” - which automatically routes me back to the logon page. …all good (I guess - shouldn’t the code provided by Okta handle that?).
So next question is (assuming what I’m doing is the right strategy) - shouldn’t I be using the refresh token periodically to refresh the token from Okta with a new expiration (and to check if the user has logged out of Okta) - should I be doing that when the original token expires instead of simply ending the session? I’m not confused about how to do that - I’m just wondering if I should be doing it.
Does anyone do this? Any suggestions? Did you write your own code to do it?