I currently have the following lifetime settings for my tokens - access_token - 5 minutes, refresh_token - 7 minutes but will expire if not used every 5 minutes. These configs are just for test. After 7 minutes my refresh token is dead and due to the auto renew = true access token remains valid for 3 minutes. After that I expect that my user to be logged out, because the refresh token is not valid and I see this failed token refresh request but another request follows immediately where I get a new pair of tokens. I expect that I will be logged out after my refresh token is dead. Could someone explain me why I never logged out?
Since you mention you have auto renew = true, are you using the Okta Auth JS library? When the tokens are expired, they are removed from storage.
I see this failed token refresh request but another request follows immediately where I get a new pair of tokens.
Are the users then redirected to a page which initiates the login flow again? If yes, it could be because the Okta session is still valid so the subsequent request is able to successfully retrieve new tokens.
1 Like
Yes, you are right. I am using Auth JS library. My refresh token is expired, access token remains valid for some time. A new request is sent 30 seconds before it becomes invalid and since my refresh token is invalid, reguest failed and tokens are removed from storoge but a few seconds after that login flow is repeated again and I get a new pair of tokens. How do I know if a user has an active session after the refresh token has expired? I want my users to log out after 8 hours of work. I was sure the refresh token lifetime was responsible for this. Here is my session configs.
You can verify by opening a new tab and going to your Okta url (https://{yourOrg}.okta.com or https://{yourOrg}.oktapreview.com). If you see the Okta user dashboard, you have an active Okta session. If you see the Okta login page then you do not have an active Okta session.
You will want to find out what is triggering the login flow. If you can not stop it then you will want to call signOut to clear the Okta session.
Here is my route guard
If my user is not authenticated, since token manager is empty, I redirect him to the main route and inside controller which is resonsible for this route i call function
handleAuthentication where I have this part. In loginOkta function I make a signInWithRedirect call
Do you mean that I should destroy session in my route guard and prevent
signInWithRedirect call to be sure that session is dead?