Currently we’re developing an MVC application with Okta IDP support. We implemented the solution as described on this Okta example from the OktaDeveloper GIT repo.
We have a very explicit wish, namely the Session should expire after 5 minutes inactivity, and the user should login again. So not just the IIS Session, but also the Okta tokens should be invalid after 5 minutes of inactivity.
There seems to be a problem with the way i setup the Okta-API settings, because the Session expires, but the session on Okta seems to remain valid. I went to Security => API, selected the Default Auth. server and added a new access policy, and disable the default.
The new Settings sets all lifetimes on 5 minutes (minimum) and the expiration (‘but will expire if not used every’) (of the Refreshtoken ??) also on 5. No matter what settings i use, i always keep my sesions with Okta unless i logout of the Application (or explicitly on the Okta interface)
What setting/Implementation do i need to be able to do as described …