Idle Timeout Not triggering… What did I do wrong?


We’ve implemented okta in our React app and it is working fine for Signons. But… once signed in the session never seems to expire.

I can see the response from https://…/api/v1/authn has the expiresAt field set correctly with the timestamp.

The React app looks roughly like this:

            <Component {...pageProps} />
      <Notifications />
      <ReactQueryDevtools initialIsOpen={false} />

We aren’t using SecureRoute because we’re using next router instead of react router.

ProtectedPage is sort of our own version of SecureRoute and uses const { authState } = useOktaAuth() and authState.isAuthenticated in a useEffect to check if we should redirect to login.

authState.isAuthenticated never changes after the first login, always returns true even long after the timeout period has passed.

I’m sure I’ve missed something crucial, some call to check if the session is still valid or something, but can’t see what I’ve missed. (And couldn’t see SecureRoute doing anything more than we do.)

What are the likely candidates?


Are you talking about the Okta session or React app session?

The Okta session has a default lifetime of 2 hours. It can be configured per the article below:

The React app session or isAuthenticated is based on whether an id token and access token are present in tokenManager. By default, the library will also attempt to renew or retrieve new tokens if the current ones are about to expire.

Thanks Warren,

Our JWT tokens, for use against our API, are working just fine I think. They auto renew when they should and they expire after an idle time.

If isAuthenticated is based on the JWT tokens, what should I be calling to check if the current okta session is valid or has timed out? SecureRoute uses isAuthenticated here: okta-react/SecureRoute.tsx at master · okta/okta-react · GitHub


By default, the autoRenew uses getWithoutPrompt which allows the application to retrieve tokens based on the user’s existing Okta session.

If the Okta session expired, then autoRenew will fail. You can subscribe to the error event which should let you know know if the token renew attempt has failed.