We have an application built using .NET Framework 4.8, NHibernate, MVC framework, and Okta.AspNet middleware. Users access the application by clicking on a dashboard chiclet. After 60 minutes of inactivity within the app, users are automatically logged out and redirected to the dashboard.
While users can re-enter the app without issues as long as they remain active on their computer, a problem arises when they are idle for an extended period. If they click on the chiclet after prolonged inactivity, the callback process throws a 302 error, resulting in a redirect loop that eventually leads to a 429 error.
Currently, the workaround is to clear the browser cache before clicking on the chiclet, but we need to identify the root cause of this issue. Has anyone encountered a similar problem or have insights into resolving this?
If you have ruled out all ASP related issues, I would start with global session policy Global Session Policy - >>Okta Help Center (Lightning)
It may also matter if you using an Org Authorization Server as the issuer, or a Custom Authorization Server? Okta’s documentation on authorization servers explains that session time is dictated by the authorization server type, along with global and application session policies. maybe reauthentication may not be handled correctly after idle time in your application.
If you are using a Custom Authorization Server, try increasing the token timeout/expiry settings. More details on refresh token expiration behavior can help you adjust these settings appropriately.
When, if redirect callbacks are not handled correctly, they can cause an infinite redirect loop. Ensure that your application properly manages edge cases when handling redirect - you may have missed some routes. (Happens to the best of us..).
Could you also provide the version of Okta.AspNet Middleware you are using? You might want to try Okta’s official sample applications to see if they behave differently.
You can also look into the system logs on how the expiry happens so that you have clear idea of if its only idle time or re authentication attempts being foiled.
Please log a bug if you find that this issue is with the Okta ASP.NET middleware, but I suspect a missed edge case for handling sessions correctly in the application before filing a bug in github.