RyanN.83801 (Customer) asked a question.
We are migrating from ADFS to Okta and are using Okta-React npm package to connect to a SPA okta application that uses OIDC. We have behavior where we want to stay on the page when the access token expires, and I was partially able to replicate it using Okta through offline_access. However, offline_access is only usable when refresh_token is enabled. But when we use refresh_token, our okta access session never seems to expire. We have a custom auth server set up with access_policy. Our access token lifetime is set to 15 minutes, refresh token lifetime set to 30 minutes, and [but will expire if not used every] set to 1 hour.
What is the difference between refresh token lifetime and [but will expire if not used every] ?
Hello @RyanN.83801 (Customer) Thank you for reacting out to our Community!
There was a similar question posted by other clients, please see below:
https://support.okta.com/help/s/question/0D51Y00005nVZn2SAG/what-is-the-lifetime-of-refresh-tokens-and-how-do-they-expire?language=en_US
Hope this helps and if this answered your question, please mark this as Best Answer!
Hi @Paul S. (Okta, Inc.) , I checked the thread but it didn't answer my question. In our case, our okta token seemingly refreshes and extends the expires_in time when it should normally expire. This is more of a security concern as sessions don't expire.