I have built a ReactJS single page app which uses both the okta-auth-js and okta-react libraries. After signing in, I’ve noticed that I get signed out after leaving the page alone overnight. Just wondering if there is a configuration somewhere which signs the user out for inactivity? I have even selected the “Remember me” checkbox. I’d like to know what the expected behaviour is so that I can relay this to users.
Users are likely getting logged out of your app because their tokens are expiring overnight. When using our React and Auth JS sdks, you are securing your application via OAuth/OIDC tokens and only their lifetimes matter when it comes to your application session.
You may want to look into using refresh tokens in your app to keep your user’s logged in longer. The SDKs support this OOTB, but you will need to
- request the offline_access scope in your app
- update your Application settings in Okta to permit the “refresh token” grant.
- Depending on the Org you are testing in, this may require you to enable an EA feature called “refresh token rotation,” which can be found in your Admin console under Settings → Features
PS, the ‘remember me’ checkbox only saves the user’s username as a cookie so it can be pre-populated for them next login. It has no effect on the user session in your app or in Okta.
2 Likes
Excellent answer thanks for replying, much appreciated!
I have looked into replacing the use of cookies over to renew access tokens with the new Refresh Token Rotation feature, mainly because it looks like browsers will prevent “cross site requests” sometime soon.
I have a question on refresh tokens if you don’t mind helping me understand it a bit better…I read here some advice that “When you use a refresh token with a SPA, make sure that you keep a short refresh token lifetime for better security.”. Would that be this (in app settings):
or this (in security → api → access policy):
If the doc is referring to the latter, would you have any guidance on which values to add in here which is secure for React SPAs but at the same time doesn’t annoy users by getting them to sign in every day?
The second screenshot of an Access Rule for a custom authorization server is what that guide is referring to.
The question for how long to have your refresh tokens last is going to be dependent on the needs of your users. For example, the default settings shown in that screenshot say that the refresh token lifetime is unlimited, but will expire if not used every 7 days. This means that if the user is idle in the application for 7 days, they will not be able to get new tokens, but, as long as they are active in the app every 7 days, they can stay logged into the app indefinitely.
If you expect your users to remain idle for, say 7 days or 30 days between visits to your application, but would rather not prompt them to re-authenticate, then you can easily change the “but will expire if not used every 7 days” to whatever time is a good balance between user experience (who don’t want to have to login again and again) and security (which may dictate that users should be prompted to fully authenticate regularly).
I was unable to find specific guidance on our side that suggests how long these lifetimes should be. I would recommend erring on the side of having as short a refresh token lifetime as possible, but continuing to keep in mind the user experience if the lifetime is too short.
Thanks again for the reply and easy to understand answer. Could you explain how the “Refresh token behaviour” ties in with the Access Rule?
Given the example below, does this mean that a brand new refresh token is rotated every 30 days? Or is it rotated every 5 minutes when the access token expires?
The refresh token will be rotated every time it is used.
So, say your access token expires after 5 minutes. The React SDK will attempt to renew tokens automatically using the stored refresh token. When it receives new ID/Access tokens, it will also receive a new refresh token that will last for 7 days, per the rule in your screenshot.
1 Like
Great thanks. Once this issue has been resolved in v4.9 I’ll switch over the refresh tokens.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.