Our organization is building an MVC5 application using okta.AspNet and the authorization-code flow. What we have experienced is that when a user has been logged in long enough for their token to expire, the default UseOktaMvc Owin middleware does it’s job and refreshes the token (somewhat) silently.
Normally, this all goes off without a hitch. Where we are running into problems is when they user has taken a long time to fill out a form, their token expires, and then they try to perform a form post that has a request payload. Naturally, Owin intercepts the request, sees that the token needs to be refreshed, get’s the new token from Okta, and then sends the request back on it’s way, but this time the request payload and/or query strings are gone and the user ends up with a 404.
Also, any variables that have been stored in the application session cookie get wiped out (we’re working on getting away from session variables all together, but can’t completely get rid of them yet).
Does this sound right? Any thoughts on how to handle these situations?
Thanks in advance for the help!