Okta session Timeout

Questions OAuth/OIDC
1

I am trying to implement Okta session timeout for my angular 19 and Sprint boot application, I am using okta 6.3.0 version, and my session timeout is 30minutes. I am able to signout of the application successfully and see the okta sign in page with back to sign in option, when i hit the back to sign it is redirecting to the okta dashboard and not my application login.

As a user, back to sign-in should redirect to my application sign-in page how do I implement the same.

2

To me this sounds like there isn’t a post_logout_redirect_uri being sent by your application during signout. That parameter tells Okta where the user should be redirected after the signout redirect occurs, but when it is not sent, the default behavior is for the user to land on the regular Okta login page. When a user logs in from the default login page, there is no application context available and the user will only be logged into the Okta Dashboard (or the default app for your brand, if its been customized).

Can you check the network events during this logout to confirm whether or not that is the case? You should be able to see what parameters are being sent to /v1/logout, though you will need to ensure you have the “Preserve logs” option enabled in your network tab to track all the requests that happen before and after browser redirects.

3

I have this as part of my request URL in my network tab → post_logout_redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Flogin, And I am configuring the post logout redirect URI for my session timeout like this

async logout() {
try {
console.log(‘Calling oktaAuth.signOut…’);
await this.oktaAuth.signOut({
postLogoutRedirectUri: window.location.origin + ‘/login’
});
} catch (error) {
console.error(‘Logout failed’, error);
}
}

4

Can you share some screenshots of what you’re seeing during this flow? For example, where are you are hitting back to sign in?

5

image
image643×484 66.6 KB

The Image on the left is after timeout, when I hit on back to sign in, I need to redirect to the application but the sign in page I am redirected to is the Okta Dashboard, which is shown in the screenshot on the right.

6

What widget version are you using on your sign in page? Can you try updating to the latest version to see if that resolves this issue?

7

I am trying to get that information from the okta team as I don’t have access to the okta admin dashboard to know if it is the latest version or not, meanwhile i am sharing a screenshot, I am using 7.33.3 version of the widget, my applications within our network are using 7.33.2.

image
image1912×930 115 KB

8

Also, I have one other observation, all the other application’s back to sign is pointing to a different URL format

Other applications:
data-se=“go-back” href=“https://myapps.secure.“domain”.com/purpleid/signout/” class=“link js-go-back”>Back to sign in

My application:
data-se=“go-back” href=“https://purpleid-test.oktapreview.com” class=“link js-go-back”>Back to sign in

9

I want to go back to something you said earlier:

I am able to signout of the application successfully and see the okta sign in page with back to sign in option

How are you signing out of the application? Is it making a /v1/logout redirect to the authorization server? If so, is it including a post_logout_redirect_uri in that request?

A post_logout_redirect_uri may be specified to redirect the browser after the logout is performed. Otherwise, the browser is redirected to the Okta sign-in page.

I’m wondering if right now, during logout, the application is redirecting to the /v1/logout endpoint to end the Okta session but is not including a post_logout_redirect_uri value, causing the user to be redirected back to the Okta login page. Since in that scenario they would have simply been redirected back to Okta, there would not be an application in context were they to sign in again.

10

Yeah, so we are including a post_logout_redirect_uri which is already added to the okta admin dashboard and that part is working fine.

After logging out due to inactivity we are hitting this screen. This is if i stay on the same browser without activity on it for 30min, this is the time I set. From this screen I am able to reauthenticate using my credentials back to the application.

image
image703×865 75.3 KB

The problem is if we leave this screen for a while, lets say my session inactivity is 30min and i am on some other browser and come back to the screen after 40min I am being landed on this screen with back to sign option as you can see below. Once I hit the back to sign in here it is redirecting me to the okta dashboard login and not my application login as i mentioned earlier.

image
image904×730 63.2 KB

11

Hmm. If you have a custom domain for your Okta org, one option would be to modify the sign in page to override where the back to sign in link takes users. You might need some conditional logic for this so that you don’t always replace the Back to sign in link and only do so when this particular error occurs.

If this is the only/main application in your Okta org, another option would be to set the “Default Application for Sign-In Widget” to this target application so that even if the application context is lost, users would be routed to your application instead of the Okta Dashboard (which is the default behavior)

12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.