OKTA session timeout and Introspection

I have a question…right now, I am just using the developer OKTA and I have setup an app using a widget and all for it’s use. I have been testing with it. There is one thing that is just throwing me for a loop and I cannot figure it out. Hopefully, somebody can shed some light here and help me with this aspect.

I know the default session it set for 3600 or 1 hour. That’s good and I got that. After an hour and I do the intospection on the access token it is not active and that’s good.

I want to see about another apsect. So, that I did it on my developer dashboard and all I went to the Global Security settings and I changed the TimeOut on that do like 4 minutes.

I created another user which is not the admin user. I can login with that user either through the dashboard or though that widget. That’s all good. I can do an introspection witht the access token and I get the information on that it’s active. That’s all good.

I have the app doing an async timeout check ever 2 minutes. That check will take the access token and do the introspection. Now, I will let that user idle for 4 minutes. After 2 minutes, the async timeout check fires and it returns back that the token is active. (It should). Then 4 minutes passes and it returns active…then 6, then 15, etc…it’s all showing active until the 1 hour or (3600) which it then is showing it’s not active.

What is happening here and why it is not timing out when all indications are that it should?

This is very important as this is going to be needed before we integrate this app into our corporate OKTA account.

Any information on this would be greatly appreciated.