DanielleM.61055 (Customer) asked a question.
Okta OIDC-SPA Application: Force session expiration after 30 minutes of inactivity or 2 hours max
Hi! I'm trying to figure out how to force my Okta OIDC/SPA Application to expire sessions automatically after 30 minutes of inactivity, or 2 hours maximum. I set up a custom Authentication Policy that this application sets these parameters, and I've also set these parameters in my Global Session Policy. Still, the app seems to not expire tokens; it seems to be automatically renewing them? I can't quite figure it out and would appreciate any guidance y'all have to offer.
Hi @DanielleM.61055 (Customer) , Thank you for reaching out to the Okta Community!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-custom/developer work).
Something similar was discussed there:
https://devforum.okta.com/t/how-to-set-a-session-timeout-for-oidc-application/24854
Regards.
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added
Primary thing that decides application's session are the tokens. Additional to authentication policies
Set the access token Lifetime to 30 mins and refresh token limit to 2 hours.
SPA session expiration is dependent on how the app was implemented. It could be one of the following
1) okta session time - this is modified in global session policy
2) id_token expiration time - this is adjusted in the custom authorization server. if you dont have a custom authZ server for this app then youll need to create one
3) access_token expiration time - this is NOT customizable. its hard-coded to 2 hours