SAML refresh token

I configured my first application according to this tutorial:

All working great, but once user was inactive for some time, I should redirect him to Okta login.
Is there any way to configure a kind of “silent” login without redirecting the user?

I’m a little confused about your use case/current behavior. Are the users getting logged out of your application because the session in your application has expired?

The user session in my API is about 10 minutes. After its session was ended, I trying to re-login the user.
Is there any way to re-login the user by API using a refresh token?

Is the Okta session expired as well? If the Okta session is still active, then the user won’t need to login again even if they are redirected to the Okta login.

Where can I control Okta session lifetime? Could I check programmatically if the Okta session exists?

You can check your access policy/rule under Security -> Authentication in the classic UI. There is the /sessions/me endpoint to check if the Okta session exists but would require javascript and third-party cookies to be enabled.

1 Like