My company has a restriction that our access tokens need to be valid for 15 minutes (which I got working) and the refresh token is valid for 30 minutes (which I’m having trouble with).
If the user steps away from the application (It’s in react) for longer than the 30 minutes of the refresh token, the user needs to be taken back to the login page.
My problem is, I’m never getting kicked out to the login page.
To shorten my test I tried to be kicked out after 5 minutes, so I’ve put the following settings:
In the applicaiton:
- ID Token Expiration = 300 seconds
- Absolute Lifetime = 300 seconds
- Inactivty Lifetime = 299 seconds
In the api:
- Maximum Access Token Lifetime: 120 seconds
- Implicit / Hybrid Flow Access Token Lifetime: 120 seconds
I don’t really know what configuration is wrong and how I can accomplish this scenario.
CSOC won’t allow us to go to production unless we figure out how to have the inactive users back to the login page after 30 minutes of inactivity.