How will session expire time and refresh token lifetime work together?

I’m using both okta-auth-js and okta-react libraries and I have started to look at adding refresh token rotation. I was wondering what happens when I have refresh tokens set to expire after 7 days of inactivity but the Okta session lifetime is set to the default 2 hours? Will the user still be signed out after 2 hours of inactivity? Or do refresh tokens take precedence over session lifetimes?

1 Like

The two lifetimes operate relatively independently of one another: your refresh token expiring will NOT affect your Okta session expiring and vice versa. If the Okta session is set to expire after the user’s session in the browser is idle for 2 hours, their Okta session/session cookie will expire and they will not be able to access the Okta dashboard, but as long as they have valid tokens (access, refresh), they can still access an OIDC application they are already logged into.

I put some more details about the two different lifetimes and how they factor into our SDKs in this thread, which talks about how the Okta session can be used to renew tokens for users in SPAs when refresh tokens aren’t available.

4 Likes

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.