Inactivity logout

I would like to have an inactivity signout policy for my SPA.
I am using the okta widget.
I am using terraform.

There is a configuration policy for sign on rules documented in terraform

I cannot find any details on how this works. Does the widget get this configuration from the server and is watching for user activity via javascript events? Or some other mechanism? I set it to 15 minutes, and it seems to sign the user out, however they can hit the sign in button and they are then immediately logged back in.

I am unable to find the configuration for this inactivity timeout duration in the okta admin UI.

I made a javascript solution that watches for inactivity and will “properly” sign the user all the way out by calling the widget logout function – the user then needs to completely reauthenticate which is what I want. However, if there’s a way to do it with just configuration and the widget, I would like to use it.


The values for inactivity/re_authentication_frequency are specific to Okta Org (domain) activity. For example the Okta dashboard app, if 15 minutes goes by where a user does not click any links that would cause a request to the domain, then the session would need to re authenticate/challenge/etc.

For applications like a SPA application the okta-auth-js SDK does not track user activity in any way. The only thing the SDK does by default is keep track of token expiration and refresh tokens automatically if configured and running as a service.

There have been clients who have used token about to expire events to check if a session is still valid or should be logged out. You still need a way to keep track of activity by the user however. If your SPA happens to make use of isAuthenticated() often you might be able to update an activity global variable here, but activity tracking functionality is not build into the frontend SDKs and is up to the app to track.

Hi @broeks you can also check out Refresh token inactivity in your Access Policy. You can set a rule in your Access Policy so that your refresh token will expire if it is not used within a defined period of time.


Very helpful, thanks!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.