Does Okta maintain log in session

In our applications, we maintain sessions with 20 minutes long. For example, if there is no activities from UI for more than 20 minutes, we need to revoke the access token and log out. This is doable in Okta, as it does provide revoke and logout methods. The issue here is that whenever there is any activity we want to extend the lifetime of the access token. Currently in Okta, it is fixed as 60 minutes, and there is no method to extend it, which means the access token will be gone after 1 hours even the users are working with UI. Would any one please shed some insights of how to implement this, i.e. how to extend the lifecycle of an access token upon request? Does Okta maintain any log in session? If yes, how to extend its timeout?


You need to check, what is your session lifetime is in Okta (check authentication policy for your users). After you first logged a user in, their Okta session lifetime will start ticking. Until it’s expired, you can always request a new access token from Okta w/o the user re-authentication.

So if your access_token lifetime is shorter than Okta session time, and your application session is shorter than Okta session life time, you should be good to seamlessly request a renewal of the access token.

I hope it does make some sense to you, so that you can design an app session management solution according to your own requirements

Thanks very much. How to request a new access token? After a new access token is requested, would Okta session be extended? Our application session lifetime is 20 minutes after idling. If Okta session is only 60 minutes, ours would be much longer than that. How endlessly extened Okta session?

When you request a renewed token you Okta session will be extended, so if you keep refreshing, it’ll be kept active

Thansk. But HOW to renew an access token?

Can we say that whenever we call introspect or userinfo with an access token, the Okta session will be extended?

Thanks for the help. But may I know how to request a renewed token?

the same way you request access_token initially

Thanks. Are you saying by using authorize method?

Yes, a regular /authorize call with all your parameters

Thanks. Do you have an example of using HttpClient to call authorize to get a renewed access token? I composed authorize into a URL and use redirect can successfully navigate to Okta log in page and return the code/access token. But I want build this into a method so it can be called from Javascript to get the renewed token so to extend the session. Is there any other way to get a renewed token, for example by using the current access token?
Thanks Again!

Would calling of userinfo do the same trick to extend the Okta session? How about by using token? Thanks

  1. I do not have an example, sorry, you would need to do it by yourself.
  2. No, the only other way is by use of a refresh token
  3. no, calling /userinfo not gonna help to extend the session

Thanks. Then how to use refresh token? Where can I get any help in detail from Okta?

Please check API documentation for /token endpoint, which describes what has to be sent to get a new token, if you have a refresh token on hands

Thanks. It is very hard for beginner to learn Okta. The online help equals to nothing to beginner. 1. Are you saying using token can get a renewed token? 2. token end points takes only code as parameter, but it only allows to be called one time. The second time to call with the same code, it failed. Would you please point me to a good source to get the help. The topic is very simple - how to get the current Okta session extended. I do appreciate your help, but so tired with begging people from Okta company. Thanks!

  1. we have already figured, that to get a renewed token you need to call /authorize. other option is to call /token if you have a refresh_token (it’s a special kind of token)
  2. what you describe is authorization code flow, where you can exchange a code for a token. Yes, this code is one time only

Pleaser refer back to item 1, where we already figured, how you can get your Okta session extended. I don’t think you need to get to a second option with refresh_token, as it’s not going to help you in extending Okta’s session. That was a side track as you asked, how you can get a token w/o calling /authorize

As a general suggestion, I’d recommend you to read some basic 101 on OIDC flows.

Thanks. We have to use HttpClient to call authorize, as we are wanting this be an API. But authorize would return code only in the redirect url, not returning anything by using HttpClient. I think my use case - extend the Okta session by a way of API fashion is not uncommon at all. Do you have any online reference for this topic? Thanks

Why does it have to be done from a back-end (or is it a native app), if I may ask?

For this use case it’s better to use refresh_token flow to get your token, as it does not require to have an Okta session after obtaining the refresh_token

Truly appreciate your kindly help on this issue. I am doing a pilot study of Okta as we are going to replace our existing authentication system with Okta. In our existing system, it has an UpdateLastActivity method that is called from all applications to extend the session maintained by the system. During the migration, we will be looking for the similar API. I will study the use of refresh_token. So far, I can only get access_token and id_token. By using what a parameter could I get the refresh_token. I am facing a lot of frustration in learning of Okta as the online help is very bad, basically it was not written for learners. Do you have any online references for me to read? Thanks!