How do you users log into your application? If users go through the Okta hosted widget or you use the /authn endpoint directly, they should already be prompted 5 days before their password expires. See Semona’s post about this in another thread.
If you check out the /authn endpoint documentation, you can see that the exact information is returned in the response, including how many days until the password expires.
Let me know if you see something else/don’t see this warning show up for a user whose password is about to expire.