SteveL.75147 (Customer) asked a question.
Hi,
I am trying to get some clarification regarding the relationship between OIDC login flow (specifically via authorization code with PKCE) and session management. As per the following documentation, it sounds like calling session endpoints is only necessary if using a custom sign in and landing page, which I did not.
https://developer.okta.com/docs/reference/api/sessions/*session-operations
So does that mean by using the built in sign on tools provided by Okta, the session is created at the same time? if so, how do I access the session cookie or session token to retrieve session information, and how does it get refreshed? Or does this simply happen behind the scenes where I don't need access to the session token/cookie? If that is the case, how do I check the status of a session and refresh it if needed?
Hello @SteveL.75147 (Customer) Thank you for reaching out to our community.
Okta session will be created as user needs to complete primary auth to log into the OIDC app. Okta session is tracked via a session cookie (warning, this varies between Classic and OIE, see https://developer.okta.com/docs/guides/oie-upgrade-sessions-api/). The app should NOT be relying on the Okta session after user logs into the OIDC app, it's only important for the original login OR to renew tokens for the user IF the application is not using refresh tokens. If you use refresh tokens, the Okta session doesn't matter.
Kind Regards,
Thank you for your reply and that makes sense! My understanding is refresh tokens is for updating access tokens. My question is my idle session timeout time does not seem to match the exp time mentions in the access token. For example for testing purposes I set the session timeout time to be 15 minutes, yet the exp time in the access token was still 2 hours. So how will I know if a session has timed out due to someone being idle? Will the refresh token expiration time be what matches the idle session timeout time?