Hi All,
We’re using Okta authentication embedded within a web browser control (WebView) inside our application. We’ve noticed an issue where:
- If the Okta login page is loaded and left idle for approximately 15 minutes (i.e., no input provided),
- And then the user enters their credentials and clicks “Sign In,”
- The request fails with a “400 Bad Request” error.
It appears that leaving the page inactive for that duration causes something to expire or become invalid behind the scenes—possibly a session token, nonce, or CSRF-related artifact.
Has anyone encountered a similar behavior?
- Is there a documented timeout or expiry for Okta login pages after they’re initially rendered?
- What’s the best way to handle or prevent this kind of timeout in an embedded browser setup?
Appreciate any guidance on understanding the root cause and recommended mitigation strategies.
Thanks in advance!
