User not logging out after session has expired


#1

I’m using React, React Okta, and Okta Sign-in Widget. A user can successfully login and logout using the login and logout buttons.

However, the user is not being logged out after the access token has expired. I’m using Okta’s <SecureRoute> component, where I believe this should happen automatically. Am I missing a step?

In our Okta admin settings, the token is configured to expire after five minutes and refresh for five minutes.

After a long period of time, it then throws this error into the browser’s console.
error.errorCode: login_required, error.description: The client specified not to prompt, but the user is not logged in.. However, it does not redirect the user to log in again.

To reiterate, here’s my end goal: if a user is inactive after a period of time, the application should not load and redirect to the login page.

Many thanks for your help.






#2

Hi Kyle, thanks for the question.

Internally to our okta-react libray, we use okta-auth-js, which will attempt to do our “silent” refresh flow to renew the access tokens when they expire. This relies on a cookie on the Okta domain. I’m guessing this cookie is expiring before your access token, and that is creating the error. Do you have a sign on policy that sets the Okta session to something custom? You’d also see this if you log out of the Okta administration console while still “logged in” to your local application.

I’d need to do some more investigation to see how we can implement your case and/or get around the error, but I at least wanted to share this info about the session.


#3

Hi Robert,

The problem seems to be that since we are using a separate server to host our login page, the cookie does not get set when it redirects to our main application’s implicit callback route. Our login app is a static html page with the okta sign in widget and our main application is a react app.

So the flow goes like this:

  1. Go to the home url of our login server and serve the login page.
  2. After successfully log in, which includes two factor authentication, redirect to the react server on route react_app_url/implicit/callback (using the implicit callback component)
  3. Local storage has
    accessToken:{,…}
    idToken:{,…}
  4. Cookies has
    okta-oauth-nonce
    okta-oauth-state
  5. Waiting for the token to refresh, we get an error that user is not authorized/authenticated, no logout action nor refresh token action happens.

How do you suggest getting around the issue?

Attached is the sign in policy I have set for myself for testing purposes

Please let me know if there’s anything else you would need as this is a pretty important problem for us to solve. Thanks for looking into this and hope to hear from you soon.