Hi,

I'm working on implementing Okta for a website that is comprised of multiple single page applications as well as static pages served over a cdn. The organization would like to have it's users 'stay logged in' indefinitely or as long as possible but have access_tokens be relatively short lived.

We are planning to use the okta sign in widget and the okta-auth-js library. I'm reading through documentation and working on a proof of concept but I am looking for some best practices information.

My questions are:

1. To accomplish the 'stay logged in' feature with short lived access_tokens we plan to set our session lifetime in the okta admin to be as long as possible while setting the access_token lifetime to be around 30 minutes. Is this the correct way to handle it?
2. How should we handle session/token management w/in our single page applications that may live on different subdomains (cannot share local storage)? There are multiple functions available in the okta-auth-js library for getting a session, checking if a session exists, getting a token, refreshing a token, getting a token without prompt, etc. I'm interested in the most efficient and user friendly flow. My current thought is to make a call to tokenManager.get:

authClient.tokenManager.get('access_token')

.then(function(token) {

if (token){

//User is logged in

}

else {

//Try to get tokens w/o prompt

authClient.token.getWithoutPrompt({

scopes: ['openid', 'profile', 'email'],

responseType: ['id_token', 'token']

})

.then(function(tokens) {

//Store the tokens in the token manager

})

.catch(function(err)) {

//Assume session is expired, invalid, or does not exist. Redirect to sign-in page.

});

}

});

Thanks!