OKTA Authentication Questions
We use an implementation of okta-react and okta-signin-widget to allow logins to our React SPA. We have three issues:
-
Our workflow sometimes requires users to remain logged into the SPA for 10+ hours. As such we have set our Okta timeout to 12 hours. However, if a user has been continuously using the system and not allowed it to go idle (see #2) but it exceeds the sessions 12 hours, their page just becomes generally unresponsive and doesn’t kick back to the login screen.
-
Presently our SPA has an idle detection system. If a logged in instance has been idle (no interactions with the page) for over 2 hours, it calls the logout function and clears session cookies. This works. I would like it so that if a user has been idle for over an hour, for their session validity is to be checked to make sure they haven’t been remotely logged out (see #3). I can handle this time-based check
-
If I end a user’s session via the Okta control panel, this does not get reflected on the SPA, and when they refresh the page it breaks. I’ve gotten around this breakage by deleting session cookies if the page thinks it is authenticated but cannot get user and forcing a refresh. But I’d like it to just log them out in real time.
I believe the issues that I’m seeing are because our widget creates a cookie and all subsequent authentication checks are against that cookie, and our app is never really reaching out to the Okta service anymore. Can I make this work in a “real time” way by means of REST (without using Postman)?
Additionally, is there a method I can use that, if my user is actively using the page and the time is nearing the end of their session expiry, that I can push their session expiry back a little bit? Presumably also via REST calls.