Okta access token exp

Hi –

I recently came across an issue where a user had an incorrect time zone on their machine. Their client and server time did not match and therefore the current time was always past the expiry time of the token.

However, even when I look into okta-auth-js code it seems as if the client time is being used here as well: okta-auth-js/validateClaims.ts at 1263546ef236f95420025bc2e25ac1b11378d120 · okta/okta-auth-js · GitHub

Is there any way to circumvent this and ensure the user is using the correct time?

You can set ignoreLifetime to true to disable token lifetime validation.

I don’t think there’s a way to prevent the user from modifying their machine time settings unless you are using a device management tool.

1 Like

How about using the time from the token API call response?