We have a Ruby on Rails application with a homegrown authentication/authorization mechanism (i.e. not using Devise). I have configured omniauth-okta and can log in to the application perfectly fine using Okta OAuth.
Now that the basic authentication with OAuth is working, the next logical question is how to synchronize the Rails session timeout with the Okta session timeout so that if the Okta session expires, the Rails application will also expire. In this application, once OAuth returns its hash to the application on login, the user is looked up in the DB using the email address returned from OAuth and then the Rails session takes over. The OAuth isn’t encountered again unless the person signs out of the Rails application and again clicks on the “Login with Okta” button on the login page.
I have gone round and round with ideas on how to sync the sessions. I have thought about adding a Okta custom attribute that can be set to whatever timeout the customer wants and then the Rails app will set it’s session timeout according to that timeout value from the custom attribute. The issue with that is I haven’t been able to get the custom attributes to appear in the OAuth hash when logging in. I don’t know if that is a limitation of the OmniAuth gem or what.
The second idea was to change the sign in redirect uri to include an additional parameter that would be a value to use as a session timeout value (i.e. /auth/okta/callback/60), but Okta doesn’t like it.
I’ve though about grabbing the token expiration time from OAuth on login and setting the Rails session timeout to the same thing. The problem is that there are ways to force re-authentication in Okta that are not reflected in the token expiry timestamp.
Does anyone have any ideas as to how you could sync your Rails session and the Okta session? I can’t imagine I am the first person to want to do this.
Thanks for any feedback you can give.