[Signin Widget/Okta-Auth sdk] Why do I even need to maintain an Okta Session anyway? If I can use the access token for authentication

We are using Okta signin Widget (which has okta-auth sdk built-in) with OIDC.
So access token and idtoken is very readily available easily via the interfaces out of the box.

Our use-case is that:

  • We keep an ultra short in-activity session length of only 15 mins. (i.e. if a user logout and come back > 15 mins later, we want people to have to login again, but as long as they are continuously using the app, we want to keep them logged in)
  • We have 2 (SPA) webapps, and we uses Okta as our SSO agent.

So signin widget has a tokenManager which automatically refresh access tokens in localStorage -> great. Do I even need to keep the Okta session alive at all using the XHR requests (the cookie based okta session)?

It seems that if I just keep using the access token from local storage, I don’t need the Okta session at all and it can expire and won’t affect my use case?

thanks in advance for the inputs.

if you are using refresh tokens there won’t be a need to keep the okta session active in order to get new tokens

specifically what use-cases would require the use of Okta session but not just the tokens ?

The Okta session allows for SSO into other applications part of your Okta Org.

But then the Tokens can also readily be used for authentication from the other applications.

Is it correct to think of Token and Okta session being different ways to achieve the same goal for SSO? (token can use localStorage/sessionStorage while Okta session has to use cookie)

And depending on which mechanisms the “other” applications uses, we should be able to do SSO even without okta session isn’t it?