We are using Okta signin Widget (which has okta-auth sdk built-in) with OIDC.
So access token and idtoken is very readily available easily via the interfaces out of the box.
Our use-case is that:
- We keep an ultra short in-activity session length of only 15 mins. (i.e. if a user logout and come back > 15 mins later, we want people to have to login again, but as long as they are continuously using the app, we want to keep them logged in)
- We have 2 (SPA) webapps, and we uses Okta as our SSO agent.
So signin widget has a tokenManager which automatically refresh access tokens in localStorage -> great. Do I even need to keep the Okta session alive at all using the XHR requests (the cookie based okta session)?
It seems that if I just keep using the access token from local storage, I don’t need the Okta session at all and it can expire and won’t affect my use case?
thanks in advance for the inputs.