The “Refresh token lifetime” configurable in the access rule can be used to customize how long a refresh token will last after it is issued. If your application is using refresh tokens, they will be issued at the same time the ID and Access tokens are issued, and can be used to request new ID and Access Tokens upon their expiration (that’s why the refresh token lifetime MUST be greater than the access token lifetime in your rule, you’ll see an error if you try to make the refresh token expire before the access token).
As for whether the expiration of the refresh token will result in your user being signed out, that depends on how your application is configured as well as your Org’s general Sign On policy. Our front-end SDKs have two methods they use to extend a user’s session once their refresh tokens expire (powered by the renewToken method):
- if there is a refresh token available in the tokenManager (offline_access scope requested and allowed for the application), it will attempt to use the refresh token to get new tokens.
- if there is no refresh token in the tokenManager, or it has expired, the SDK will instead try to use the Okta session cookie in the browser to perform silent token renewal (using AuthJS’s getWithoutPrompt method). This method is reliant on the browser being able to access the ‘sid’ cookie set for an authenticated user on your Okta domain from the domain your application is hosted on. This method can/will fail in browsers that block third party cookies if your application is not hosted on the same domain as your Okta tenant.
Based on the behavior you are seeing, the user is likely remaining logged in due to the presence of the Okta session. The lifetime of the Okta session is part of the Sign On Policy that your user falls under.
To confirm, you can log the user into your app, access the Okta dashboard in another tab to log out of Okta (killing the Okta session), and then wait 7 minutes. You should now see that the users will fail to have their tokens renewed and they will be need to re-authenticate to access your application.