OpenID connect without session management

I am working on an angularjs application that does not have any session management in place. The application is using Spring REST to expose the APIs. This application is using OpenID connect for authentication. We are not doing any authorization with Okta.

Problem: For each request, we are sending ID Token to okta so that it can get validated. Now the challenge is ID token expires in 1 hour. I am trying to fetch new ID token and it refreshes the user page. I have already used no-prompt and thus it is not asking user to login again. However, due to refresh, user loses the work he/she was doing.

May you please suggest an approach that can work in situation when there is no session management and Okta is getting used only from Authentication purpose.


You have built somewhat of session management on top of the ID Token for your API regardless what you call it. If you are relying on the ID Token to figure out if the user is signed in or not, then you have pretty much-built session management. You are relying on the expiration of the token for your session.

I would think about moving to an access token instead of the ID token. Access tokens (even though you aren’t doing API authorization) can be used in place of an ID token and can have the timeouts configurable. If you ever need to start doing API Authorization, you will be ready with the access token.

To refresh tokens without redirect, the refresh method on auth-js does silent refresh.