I have 2 needs that Okta fulfils at the moment.
- Authenticate users into a SPA using Authorization-PKCE Flow
- Contact a backend API using an Access-Token (AT) that was generated from said flow
This works great. What I’d like to do now is to generate long lived sessions for users that have logged in. If a user logs in on day 1, I’d like their session to be active for a month. If they are active between days 1-30 I’d like to extend their session for another 30 days.
Currently I do not generate Okta Sessions for any users. Here’s what I tried
- The AT that is generated is only valid for an hour and cannot be extended using refresh tokens on the PKCE flow.
- A silent refresh would be possible using invisible iFrames, but that won’t work if say the user puts their laptop to sleep overnight.
How do I generate an access token and keep it alive over long lived sessions for users in Okta? If it’s not possible using the current approach (AuthCode + PKCE), what should I do to make this happen?
Another user seems to have had the same question about 2 years back, but that thread is still unanswered - OpenID connect vs Session/Authentication API. Would appreciate any help I can get.