User not logging out after session has expired


#1

I’m using React, React Okta, and Okta Sign-in Widget. A user can successfully login and logout using the login and logout buttons.

However, the user is not being logged out after the access token has expired. I’m using Okta’s <SecureRoute> component, where I believe this should happen automatically. Am I missing a step?

In our Okta admin settings, the token is configured to expire after five minutes and refresh for five minutes.

After a long period of time, it then throws this error into the browser’s console.
error.errorCode: login_required, error.description: The client specified not to prompt, but the user is not logged in.. However, it does not redirect the user to log in again.

To reiterate, here’s my end goal: if a user is inactive after a period of time, the application should not load and redirect to the login page.

Many thanks for your help.






#2

Hi Kyle, thanks for the question.

Internally to our okta-react libray, we use okta-auth-js, which will attempt to do our “silent” refresh flow to renew the access tokens when they expire. This relies on a cookie on the Okta domain. I’m guessing this cookie is expiring before your access token, and that is creating the error. Do you have a sign on policy that sets the Okta session to something custom? You’d also see this if you log out of the Okta administration console while still “logged in” to your local application.

I’d need to do some more investigation to see how we can implement your case and/or get around the error, but I at least wanted to share this info about the session.


#3

Hi Robert,

The problem seems to be that since we are using a separate server to host our login page, the cookie does not get set when it redirects to our main application’s implicit callback route. Our login app is a static html page with the okta sign in widget and our main application is a react app.

So the flow goes like this:

  1. Go to the home url of our login server and serve the login page.
  2. After successfully log in, which includes two factor authentication, redirect to the react server on route react_app_url/implicit/callback (using the implicit callback component)
  3. Local storage has
    accessToken:{,…}
    idToken:{,…}
  4. Cookies has
    okta-oauth-nonce
    okta-oauth-state
  5. Waiting for the token to refresh, we get an error that user is not authorized/authenticated, no logout action nor refresh token action happens.

How do you suggest getting around the issue?

Attached is the sign in policy I have set for myself for testing purposes

Please let me know if there’s anything else you would need as this is a pretty important problem for us to solve. Thanks for looking into this and hope to hear from you soon.


#4

@kylefornia I’m having the same issue. Did you ever come up with a solution?


#5

We’re also having the same issue with our React (implicit auth).


#6

@robertjd Was there ever a solution or ticket opened for this problem?

I’ve had problems reproducing the bug, but I was able to get a few more details.


#7

@brickard Brian, if you try to use your web application using incognito or something similar are you still having this problem?

This only happens to us if we have remnants of the old session/cookie and there’s no way for a React UI to react to this promise rejection.


#8

No, I haven’t been using incognito mode. Having the problem in “regular” mode. I can see why running in incognito mode you may not have the problem. I haven’t reproduced it in incognito, but I will try and see what I come up with.

I can’t imagine telling customers to run our app in incognito mode is going to be an acceptable answer.


#9

Oh yeah ours too. If you’re wondering what we’re using we’re using Okta and React with implicit flow. This happens every time we log back in the our web application. After a couple of refreshes we’re redirected back to Okta’s login page.


#10

I have the same problem. Technically, it should redirect to the login page after the session expires.


#11

I agree with you prajal5, do you have a React-based project?


#12

Yes, my front end is a React App, my backend is a asp dotnetcore microservice.


#13

@rodoabad Today, Okta release version 1.1.1 of there React Middleware, and it seems to have fixed the problem for us.