You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Okta's OIDC implementation has a hard limit of 1 hour for access tokens. mozilla-django-oidc's SessionRefresh middleware lets us push that limit so long as the user is active within the past ~45 minutes, but it seems more sensible to make use the refresh token (which has a configurable timeout). Refresh tokens would allow Django to silently renew the user's access for potentially weeks, if desired. Refresh tokens don't lose any of the security benefits of SessionRefresh -- the access token must still be re-retrieved, which means we're still confirming that the user is valid in Okta. Without this, after an hour of inactivity, users are logged out of our app (even if they are still logged into Okta) because the access token expired.
In reviewing existing issues, I suspect #377 is a workable implementation, though that PR's languished.
The text was updated successfully, but these errors were encountered:
Okta's OIDC implementation has a hard limit of 1 hour for access tokens.
mozilla-django-oidc'sSessionRefreshmiddleware lets us push that limit so long as the user is active within the past ~45 minutes, but it seems more sensible to make use the refresh token (which has a configurable timeout). Refresh tokens would allow Django to silently renew the user's access for potentially weeks, if desired. Refresh tokens don't lose any of the security benefits ofSessionRefresh-- the access token must still be re-retrieved, which means we're still confirming that the user is valid in Okta. Without this, after an hour of inactivity, users are logged out of our app (even if they are still logged into Okta) because the access token expired.In reviewing existing issues, I suspect #377 is a workable implementation, though that PR's languished.
The text was updated successfully, but these errors were encountered: