When reviewing Developer Tools/HAR trace while accessing an OAG application, there are frequent calls to "/oagNPSessionIntrospect-b51ce026-f27f-44af-b65d-1dd9c24f00ff/index.html" being noticed that seem to be occurring on a regular basis.
Users/developers may be unclear about why they are seeing this, or if it is something abnormal that warrants concern.
- Okta Access Gateway (OAG)
These calls are caused by an Advanced Policy that has been configured in the OAG application to "Extend AJAX session handling". More information about this policy can be found at the following documentation: Advanced Access Gateway policy examples.
Per the documentation, "Once included, the associated script executes on the defined interval, checking if a user session is inactive. When a user session expires, the script alerts the user and refreshes the page. The user then gets a new session if an Okta session exists. Otherwise, the user must reauthenticate."
While OAG administrators may have chosen to configure this policy for expected reasons, it may not be clear that the internal scripts involved in this policy are designed to specifically call the "/oagNPSessionIntrospect-b51ce026-f27f-44af-b65d-1dd9c24f00ff/index.html" resource.
Overall, these calls are not inherently a problem, and no action is necessarily required. If users are concerned by the presence of these calls, OAG administrators should explain the purpose of this policy by referencing the documentation: Advanced Access Gateway policy examples.
If the extended AJAX session handling is not actually desired or otherwise causing problems, the respective policies can be configured as necessary to remove them.
If it is desired to maintain this extended AJAX session handling but have these calls occur on a less frequent basis, consider increasing the "oagSMTimeoutSeconds" value in the respective policies. Per the documentation, this parameter is defined as "Required, no default. Frequency to run the script to check session in seconds."
