Long lived Okta logins


I have 2 needs that Okta fulfils at the moment.

  • Authenticate users into a SPA using Authorization-PKCE Flow
  • Contact a backend API using an Access-Token (AT) that was generated from said flow

This works great. What I’d like to do now is to generate long lived sessions for users that have logged in. If a user logs in on day 1, I’d like their session to be active for a month. If they are active between days 1-30 I’d like to extend their session for another 30 days.

Currently I do not generate Okta Sessions for any users. Here’s what I tried

  • The AT that is generated is only valid for an hour and cannot be extended using refresh tokens on the PKCE flow.
  • A silent refresh would be possible using invisible iFrames, but that won’t work if say the user puts their laptop to sleep overnight.

How do I generate an access token and keep it alive over long lived sessions for users in Okta? If it’s not possible using the current approach (AuthCode + PKCE), what should I do to make this happen?

Another user seems to have had the same question about 2 years back, but that thread is still unanswered - OpenID connect vs Session/Authentication API. Would appreciate any help I can get.

When users log in via Authorization code flow with PKCE, an Okta session is created for them AND they are generated OAuth tokens. Per the default settings, this Okta session will last for 2 hours.

With a SPA using silent refresh, an Okta session MUST be present in the user’s browser, otherwise they will be need to re-authenticate again with Okta to create a new session. At this time, SPAs are not able to request/receive refresh tokens, and this is the only way a SPA can request new tokens for a user.

One thing you may want to look into is enabling persistent sessions for users, as described in this guide.

Provided you are okay with the security ramifications, you can always either 1) increase the max Okta session lifetime to 1 month or 2) increase the access token lifetime via Access Rules.

1 Like

an Okta session is created for them AND they are generated OAuth tokens

Ah that makes more sense now. So the idea is that you use the session as the long lived object and keep rotating the AT using the silent refresh. That solved my problem.

Thank you for taking the time to answer my question. It was very helpful.

Yup, that’s exactly how it works!