Okta Login Page Timeout error

sherin · December 12, 2019, 2:44pm

Okta is implemented in an web browser control. Keep the okta login page idle for 15 minutes without entering credentials. After 15 minutes enter credentials and click on Signin button then we get 400 Bad request error. What is the reason for this and how to fix this?. Is there any timeout period for Okta after a login page is loaded in a browser?

dragos · December 13, 2019, 2:57am

Hi @sherin

What is the error message that you receive when the 400 Bad Request error occurs?

sherin · December 13, 2019, 6:32am

Hi @dragos,
Please find the error message.

400 Bad Request

dragos · December 13, 2019, 6:35am

Hi @sherin

Thank you for providing the screenshot. Indeed, there is a timeout of 15 minutes on okta_key, which is used to know where to redirect the user after he authenticates. You can find here more details about this error.

sherin · December 13, 2019, 7:07am

@dragos,
Thanks for the reply. But not clear about the resolution in that page. We are using IdentityModel.OidcClient to work with Okta.

dragos · December 13, 2019, 7:20am

Hi @sherin

The solution is to use Okta Sign-In Widget inside your local project which does the authentication of the user and immediately afterwards does the authorization.

sherin · December 27, 2019, 6:27am

Hi @dragos,
Thanks for the reply.Tried OKta Signin Widget, the issue is not in it and it is working fine. But since it is javascript, we can’t keep the parameters like clientid, issuer, redirecturl as secret and any one can view them in the source of the web page. So it is not secure to implement in our project.

Is there any option to increase the timeout of okta_key value in okta developer tool.?

marcspratt · April 9, 2020, 5:07pm

I’m still seeing this issue. Has Okta fixed this problem? I cannot use the react Okta sign in widget since I need SSO across my apps. So I need to use the Okta hosted login screen. However, after the 15 minutes you let the page sit, my users get a 400 screen when they finally decide to login. But since the okta_key or whatever has expired, it doesn’t redirect them back into my app, they just get the 400 screen. If they then navigate directly to the app after seeing this 400 error, they’ll be taken into the app right away, which proves that they did authenticate and log in with Okta, but Okta chose to not redirect accordingly. I’m assuming because of this okta_key which has expired, which us developers, have no control over.

The Okta hosted login screen should never “expire”. I don’t understand why this is the case.

ajohnson · September 29, 2020, 9:17pm

This is also a problem for me.

The user experience is awful. They get a generic error with no suggested recourse.

shinypotato · April 5, 2021, 2:45pm

There is a feature request here:
https://ideas.okta.com/app/#/case/111616

Please up vote it.

PHaroZ · September 27, 2021, 12:45pm

Hi,

Same problem here. We have found a simple & half dirty workaround : we force the login page to go back to the app after 10 minutes. As the use is not logged-in he is redirected to the okta login form with a new okta_key.

To do so, edit the Okta Sign-In Widget from here https://XXXXX.okta.com/admin/settings/customizableSignIn#tab-customizable-sign-in ; in the HTML editor add the following snippet before the </script> :

      function refreshLogin() {
        window.history.go(-3);
      }
      window.setTimeout(refreshLogin, 1000 * 60 * 10);

system · February 10, 2024, 1:00am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.