Given the following auth setup
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = Configuration["OktaAuth:OktaDomain"] + "/oauth2/default";
options.RequireHttpsMetadata = true;
options.ClientId = Configuration["OktaAuth:OktaClientId"];
options.ClientSecret = Configuration["OktaAuth:OktaClientSecret"];
options.ResponseType = OpenIdConnectResponseType.Code;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
options.SaveTokens = true;
options.TokenValidationParameters = new TokenValidationParameters
{
NameClaimType = "name",
RoleClaimType = "groups",
ValidateIssuer = true
};
});
And with refresh token enabled, and grace period set to 30 seconds.
I’m unsure as to how to make my okta token actually refresh, as when I remove myself from the application after the initial login, I seem to stay authenticated for a REALLY long time.
The okta middleware, takes a lot out of my hands which is great, but makes it extremely hard to know what it’s actually doing. I have no idea, if it’s even trying to refresh the token or anything. But it appears to never invalidate itself.