We’re developing an SPA and we’re using okta-auth-js to login to our own auth domain, maintained by our company.
We have a requirement on the application to force a signout whenever the current session surpasses 2h.
So we constructed the okta auth client code this way:
new OktaAuth({
issuer: env.oktaIssuer,
clientId: env.oktaClientId,
redirectUri: redirectUri,
postLogoutRedirectUri: postLogoutRedirectUri,
scopes: ['openid', 'profile', 'email', 'offline_access'],
// https://github.com/okta/okta-auth-js#services
services: {
autoRenew: true,
autoRemove: true,
syncStorage: true
},
// https://github.com/okta/okta-auth-js#authorize-options
maxAge: 7200
})
We were expecting that the maxAge parameter would be enough to force a signout, but it’s not working. Session and Tokens seem to be two different moving pieces in the okta-auth-js code, so disabling Token renewal didn’t force a signout iirc.
We ended up implementing the auto signout code ourselves, using a setInterval check that decodes the id or access token and extracts the auth_time claim, (which in our understanding is similar to the session creation time) to determine if enough time has passed to signout the user.
But we’re not convinced this is the best approach; has someone had this requirement before and how did/would you solve it?
hello,
in Security ==> global session policy then you can add policy with rules and timeout of the session.
I never used it but may be it can be for you?
Hi! Another team has access to the okta session settings, but as far as I’m aware, the global session policy is currently set up at ‘infinite’ iirc, but I believe the session timeout for our app is at 2h… it doesn’t seem to work with okta-auth-js though.
maxAge parameter in OktaClient setting is intended to be sent during authorize call. You can find the max_age parameter in this document.
Currently there is no inbuilt functionality for timed sign outs. However you can setup your access token/refresh token combo to expire in 2 hours and the app session will expire and will need re-authentication at the end of it. When you make an authorize call at this point with maxAge parameter set to 2 hours, Okta will challenge the user again for authentication even though Global session might be active.
2 Likes
I’ve set the maxAge and disabled token refresh like so:
const authClient = new OktaAuth({
issuer: env.oktaIssuer,
clientId: env.oktaClientId,
redirectUri: redirectUri,
postLogoutRedirectUri: postLogoutRedirectUri,
scopes: ['openid', 'profile', 'email', 'offline_access'],
// https://github.com/okta/okta-auth-js#services
services: {
autoRenew: false,
autoRemove: true,
syncStorage: true
},
tokenManager: {
autoRenew: false
},
// https://github.com/okta/okta-auth-js#authorize-options
maxAge: 7200
});
What I observed was:
- Tokens were not set with a 2h expiration time; they seem to default to 1h
- After tokens expired, I was not redirected to sign-in page automatically, but when I refreshed the page, I was redirected to the sign-in page
With #1, I don’t think maxAge is changing anything, am I doing something worng?
But regarding #1, is there anything OktaAuth should be doing to redirect to sign-in page, or is there something I can manually call from the SDK, e.g. listen on tokenManager expire event?