We are implementing a passwordless authentication flow without MFA or security questions for both sign-in and sign-up using the Okta Identity Engine, the Okta SDK for Angular (@okta/okta-angular v6.2.0), and Auth JS (@okta/okta-auth-js v7.4.2).
The Okta admin console is configured to use the Email authenticator for authentication and recovery, with an email challenge lifetime of 5 minutes (default). For code verification, we use the oktaAuth.idx.proceed({ code }) method, which calls the /idp/idx/challenge/answer API.
An issue arises when the code is entered after the 5-minute challenge lifetime has expired. In such cases, the answer API call succeeds, but the response contains the message: “Your session has expired. Please try to sign in again,” along with the i18n error key: error.expired.session. This creates a suboptimal user experience since the API response indicates success, but the session is considered expired.
We are looking for guidance on how to address this issue and enhance the user experience. Additionally, is there a method in the SDK to check whether the session is active in this situation? Please find the screenshot of the answer API response for reference.
