I’m working on an Angular SPA which will use Okta for user authorization. We configure a default expiration time on the Okta admin site. When a user logs in, the “expire at” value reflects that default expiration time. In the angular application, I subscribe to the $authenticationState, and that observable pops when the user’s session has expired.
Is there a way to programmatically bump up, refresh, or reset that expiration time before it expires? I’m not asking how to determine when it will expire. I’m asking if there is an API call I could make that would go back to Okta and return a new token with a refreshed/reset expiration time?
Otherwise, it seems like this would be a bad user experience to abruptly end a user’s session if they are in the middle of an important task. Yes, our FE app could be written to just ignore the session expiring, and the Server would also have to ignore the “expires at” value, but that also seems like a bad idea.
I believe the authenticationState reflects whether access token/id token is present. By default, the Okta Angular library will try to renew the tokens as long as the Okta session is valid. You can extend the Okta session with the sessions API endpoint. https://developer.okta.com/docs/reference/api/sessions/#refresh-current-session
Thank you for the tips. I’ve been reading through the online docs, and I have a question about using the …/lifecycle/refresh API.
That POST appears to be something that is sent unbeknownst to the okta service in my angular application. If I refresh the expiration time in the Okta Auth Server, how does the Okta service in my app get updated in order to prevent the $authorizationState observable from popping? Maybe I’m missing something that is obvious…
Another option (Sessions | Okta Developer) is to use the HTTP prefer header to refresh the session. I have a few implementation specific questions about this, but the first question is the same as above: how does calling this API update the Okta service state/values in my angular application? The Okta service wouldn’t even know I made the call.
Right, using the /lifecycle/refresh API has no direct effect on the authState. The authState depends on the existence of the id token and access token in tokenManager. If the tokens expire, they will be removed and the authState would be updated to indicate that the user is no longer authenticated.
As mentioned previously, the Okta library will try to renew the tokens using the user’s Okta session. If the user’s Okta session has expired, the token renewal will fail and the expired tokens will be removed.
As mentioned previously, the Okta library will try to renew the tokens using the user’s Okta session. If the user’s Okta session has expired, the token renewal will fail and the expired tokens will be removed.
I presume when you say “the Okta library” you’re referring to the service running in the Angular application? If that’s the case, I do not see this happening. Is there something that needs to be enabled to trigger this?
For the record, when I setup my application on the Okta admin site, I checked grant type of: “Authorization Code” and “Refresh Token.” But, in my angular app, when I try to fetch the refreshToken by calling getRefreshToken() after the signin succeeds, I get back null.