Currently, an absolute timeout is only supported for the Okta Session. The feature isn’t exposed in the admin portal, but you can configure it via an API call. The parameter is called maxSessionLifetimeMinutes. See https://developer.okta.com/docs/reference/api/policy/#signon-session-object.
The problem is that when this timeout occurs, and the user’s session is terminated, their refresh and access tokens are still valid.
If the access token lifetime is 15 minutes, and the refresh token lifetime is 1 hour, then every 15 minutes I can use the refresh to get a new access token and a new refresh token. However this means that the 1 hour lifetime of the refresh token is reset every 15 minutes, leading to no enforcement of an absolute timeout, and a 1 hour idle timeout.
How can I implement an absolute timeout for an OIDC/OAuth application?