Hi All,
We’ve created Okta App for our website and configured AWS ALB to authenticate users. Everything works fine.
On Okta side our App has following settings:
- General
- Client Credentials
- Client authentication -
Client secret
- Proof Key for Code Exchange (PKCE) -
disabled
- Client authentication -
- General Settings - Application
- Application type -
Web
- Proof of possession -
disabled
- Grant type -
Authorization code
,Refresh Token
,Implicit (hybrid)
- Application type -
- Refresh Token
- Refresh token behavior -
Rotate token after every use
- Grace period for token rotation -
60 Seconds
- Refresh token behavior -
- Client Credentials
From AWS Documentation:
- If the session timeout is longer than the access token expiration and the IdP supports refresh tokens, the load balancer refreshes the user session each time the access token expires. The load balancer has the user log in again only after the authentication session times out or the refresh flow fails.
So now we’d like to check how we can immediately remove access from App for some user.
- User is authenticated in App / ALB already.
- We deactivate user in Okta.
- User is able to open website still.
On ALB side we can configure only Session Timeout. We tried to set 5 minutes - and even in the next day deactivated user still can open website.
What’s wrong with our configuration? How we can remove access for deactivated users?
Or maybe it’s impossible to handle it with ALB and has to be processed on app side (using refresh tokens or somehow else?)
Thanks!