Users are stuck at the login page with their tokens failing at validation, which leads to tokens not getting properly stored. As a result, users are not getting redirected using showSignInToGetTokens.
- Machine with a manually set system clock
- OIDC applications using Okta JS SDKs, including the Okta Sign In widget
- Okta hosted widget
- Okta self-hosted widget
Okta Auth JS validates the token lifetime before storing it. If the validation is behind or ahead of Okta's clock, then the user will not be redirected properly after login. The maxClockSkew value defaults to 300 (five minutes). This is the maximum difference allowed (+/-) between a client's clock and Okta's, in seconds, when validating tokens. Setting this to 0 is not recommended because it increases the likelihood that valid tokens will fail validation.
To resolve the issue, perform one of the actions described below:
Increase the maxClockSkew, for example, to 900 seconds (15 mins).
var signIn = new OktaSignIn({
// Assumes there is an empty element on the page with an id of 'osw-container'
el: '#osw-container'
baseUrl: 'https://{OktaDomainName}',
authParams: {
maxClockSkew: 900
}
});
Alternatively, disable token lifetime validation using ignoreLifetime. Token lifetimes are validated using the maxClockSkew. To override this and disable token lifetime validation, set this value to true.
var signIn = new OktaSignIn({
// Assumes there is an empty element on the page with an id of 'osw-container'
el: '#osw-container'
baseUrl: 'https://{OktaDomainName}',
...
authParams: {
ignoreLifetime: true,
}
});
