Hi! I’m using Okta in my Angular app. Access token’s lifetime is 5 mins and session’s one is 7 mins. I’m expecting the following behavior:
User is logged in
Access token’s lifetime is set to 5 mins
Session’s lifetime is set to 7 mins
After 5 mins (when the access token expires) I’m getting new tokens (ID and access) with getWithoutPrompt or with renewTokens
After 5 more minutes I’m trying to do the same thing ^ and it’s successful, although the session should be expired already
I can see, that with every tokens refresh request the session’s lifetime gets extended with 7 more mins.
I don’t want this thing to happen, I want the session not to get extended whenever I get new access and ID tokens.
If your application is using silent token renewal (aka, autoRenew is kicking of a new OAuth flow to get tokens) in place of refresh tokens (where autoRenew uses a refresh token and sends it to the /token endpoint), the request to the /authorize endpoint will refresh the user’s okta session (since the Okta session is being used to get new tokens for the user).
If you do not want this to occur, you will want to use refresh tokens instead. In the Okta admin console, make sure “Refresh token” is an allowed grant type for your OIDC application and in your config for your widget and angular app that you are requesting the offline_access scope.