I have followed the below and got into the application after okta authenticates. https://developer.okta.com/docs/guides/implement-grant-type/authcode/main/

I have called /logout endpoint to manually logout from my application, it works fine.

When I am not doing anything (idle) in the application for X time, then i want to auto logout automatically. Is there any option to configure in okta server for this? Please help.

CodePudding user response：

There are couple things here

1. as it's your application, you can manage your session as you like it. If a user is idle for 15 minutes, as an example, just do logout

2. if your user tries to log back into your app after that, then it depends on Okta session lifetime. If it's less than your application session time, then Okta will require your user to authenticate again. But if Okta session is longer than your app session, then user will be able to log back in without authentication again.

Okta's session lifetime is configured in sign-on policy inside Okta (Admin -> Security -> Authentication -> Sign On)

All above is valid only if you are not explicitly killing Okta session during app logout, which can also be done.

UPDATE: by default a lot of applications use id/access token lifetime to determine if you need to go back to Okta to refresh those (id_token expires after 60 minutes, access - depending on authZ server policy)