Session management for OIDC apps with Okta

I am working on sign out for the application authenticated using OIDC with okta .After authenticating with Okta app has its own session. How should I handle sessions in okta and the app. If user sign out of the okta , do I need to sign out of the application. Do I need to ping okta from the application for every request to make sure session is alive in Okta

1 Like

It depends on your requirements. If you want your application to have it’s own session then just have it.

If you have your own backend you can have a session cookie. If you don’t have it, you can have a session established based on the lifetime of your access_token. Then you just set authz server policy to limit access_token lifetime to XX minutes (based on your requirements) and check token lifetime (or subscribe on expiration event if you are using okta auth js). No need to go every time to okta to check if the session is still alive there.

I am confused about how sessions are managed in OIDC applications. I have 3 OIDC applications configured in Okta. First time if I access any one of the app I am redirected to okta for login and it creates session and has access token. If I access 2nd application I will not be redirected to login as I am already authenticated with okta and will be send to 2nd application with its own access token. If I sign out of okta now should I be signed out of all the applications or application session will be valid for access token validity. Hope you could help me with it

If you sign out of Okta, your access token will still be valid till its own expiration time. But if you try to “refresh” it, you will have to authenticate to Okta again (if you don’t have refresh token).

To get token from Okta you have to be authenticated (and authorized) to Okta. So, as long as your session with Okta (based on a browser cookie) is active, you can get a token to any application (as long as you are authorized to access it).

It’s a common confusion point for people as access_token does not have to have anything in common with an application session itself. To be honest, session management is totally application level responsibility as options are numerous depending on your architecture and functionality