We are using Okta signin Widget (which has okta-auth sdk built-in) with OIDC.
So access token and idtoken is very readily available easily via the interfaces out of the box.
Our use-case is that:
We keep an ultra short in-activity session length of only 15 mins. (i.e. if a user logout and come back > 15 mins later, we want people to have to login again, but as long as they are continuously using the app, we want to keep them logged in)
We have 2 (SPA) webapps, and we uses Okta as our SSO agent.
So signin widget has a tokenManager which automatically refresh access tokens in localStorage -> great. Do I even need to keep the Okta session alive at all using the XHR requests (the cookie based okta session)?
It seems that if I just keep using the access token from local storage, I don’t need the Okta session at all and it can expire and won’t affect my use case?
But then the Tokens can also readily be used for authentication from the other applications.
Is it correct to think of Token and Okta session being different ways to achieve the same goal for SSO? (token can use localStorage/sessionStorage while Okta session has to use cookie)
And depending on which mechanisms the “other” applications uses, we should be able to do SSO even without okta session isn’t it?