How to set a session timeout for OIDC application

We have an OIDC SSO application that we are submitting for an OIN review, in order for partners to log in to our app.

We would like to ensure the sessions are limited to timeout after 12 hours maximum. Is there a way to set this within the app? I’ve seen in the guide that prompting for re-authentication is only possible for SAML apps, does this mean OIDC apps cannot limit session timeframes?

We are using the oauth2/v1/introspect endpoint to validate tokens.

Thank you!

One thing to note is that an OIN app can not use a custom authorization server so the access token and id token lifetimes is limited to 1 hour.

If you want a session timeout of 12 hours, you will probably want to implement it in your app.

Thanks warren, that’s really helpful. I’ve tried looking through the Okta guides for this information regarding access tokens expiring after one hour when using the authorization server and using the introspect endpoint to validate the token, but can’t find it anywhere. Have you seen this documented?
Apologies if I’ve just missed it somewhere!

Maybe not in as many words, but as OIN applications use the Org Authorization Server, this doc of lifetimes per token (with the exception of refresh tokens, which are not currently supported for OIN apps) based on the Authroization Server used will still apply: What Is the Lifetime of Okta minted JSON Web Tokens(JWT) | Okta Help Center

Fantastic, that’s the sort of doc I was looking for, thanks Andrea.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.