Hey @dutty,
You can force the token validation to be on the server side instead of the client side, you can set okta.oauth2.localTokenValidation=false.
More generally to answer your question, this looks like a similar issue on StackOverflow. The session timeout does not match the access token:
We can look into adding a similar feature in future releases. (similar to the solution on SO)
Basically, your access token gets exchanged for a session (timeout depending on your container and/or Spring config).
Note: this would NOT @ResourceServer (implicit flow) applications as the token would be validated on each request.
Does that help?
-Brian