I’m using React, React Okta, and Okta Sign-in Widget. A user can successfully login and logout using the login and logout buttons.
However, the user is not being logged out after the access token has expired. I’m using Okta’s <SecureRoute> component, where I believe this should happen automatically. Am I missing a step?
In our Okta admin settings, the token is configured to expire after five minutes and refresh for five minutes.
After a long period of time, it then throws this error into the browser’s console. error.errorCode: login_required, error.description: The client specified not to prompt, but the user is not logged in.. However, it does not redirect the user to log in again.
To reiterate, here’s my end goal: if a user is inactive after a period of time, the application should not load and redirect to the login page.
Internally to our okta-react libray, we use okta-auth-js, which will attempt to do our “silent” refresh flow to renew the access tokens when they expire. This relies on a cookie on the Okta domain. I’m guessing this cookie is expiring before your access token, and that is creating the error. Do you have a sign on policy that sets the Okta session to something custom? You’d also see this if you log out of the Okta administration console while still “logged in” to your local application.
I’d need to do some more investigation to see how we can implement your case and/or get around the error, but I at least wanted to share this info about the session.
The problem seems to be that since we are using a separate server to host our login page, the cookie does not get set when it redirects to our main application’s implicit callback route. Our login app is a static html page with the okta sign in widget and our main application is a react app.
So the flow goes like this:
Go to the home url of our login server and serve the login page.
After successfully log in, which includes two factor authentication, redirect to the react server on route react_app_url/implicit/callback (using the implicit callback component)
Local storage has
accessToken:{,…}
idToken:{,…}
Cookies has
okta-oauth-nonce
okta-oauth-state
Waiting for the token to refresh, we get an error that user is not authorized/authenticated, no logout action nor refresh token action happens.
How do you suggest getting around the issue?
Attached is the sign in policy I have set for myself for testing purposes
Please let me know if there’s anything else you would need as this is a pretty important problem for us to solve. Thanks for looking into this and hope to hear from you soon.
No, I haven’t been using incognito mode. Having the problem in “regular” mode. I can see why running in incognito mode you may not have the problem. I haven’t reproduced it in incognito, but I will try and see what I come up with.
I can’t imagine telling customers to run our app in incognito mode is going to be an acceptable answer.
Oh yeah ours too. If you’re wondering what we’re using we’re using Okta and React with implicit flow. This happens every time we log back in the our web application. After a couple of refreshes we’re redirected back to Okta’s login page.
Can you please open a support ticket with us by sending an email to developers@okta.com. One of our developer support engineers will assist you in reviewing the configuration and narrow down the cause of this issue.
