/
Auto-Logout (Okapi)

Auto-Logout (Okapi)

This page explains the settings related to auto-logout on Okapi-based FOLIO installations.

For Eureka-based FOLIO installations see RTR Configuration on Eureka .

Access Token

On successful login an access token is returned that can be used to access APIs.

The access token expires after 10 minutes, use the TOKEN_EXPIRATION_SECONDS environment variable of mod-login to configure a different lifetime (https://github.com/folio-org/mod-authtoken#environment-variables).

Refresh Token

To fetch a new access token the UI send the refresh token to the POST /authn/refresh API.

On successful login both a access token and a refresh token is returned.

When using the refresh token no credentials are needed to get a new access token.

The UI automatically fetches a new access token if needed.

Scripts may ignore the refresh token and always use credentials to get a new access token.

A refresh token by default expires after one week, use the TOKEN_EXPIRATION_SECONDS environment variable of mod-login to configure a different lifetime (https://github.com/folio-org/mod-authtoken#environment-variables).

Further details: Refresh Token Rotation (RTR)

Idle Session Auto Logout

The UI stops refreshing the access token when there’s no activity so that a new login is required. The default idleSessionTTL is 4 hours (since Sunflower), it can be configured in the tenant’s stripes.config.js file.

Maximum Authentication Lifetime

For Single-Sign-On (SSO) there’s another expiration value:

Both FOLIO’s mod-login-saml module and the SSO’s IdP configure a maximum authentication lifetime, after that time the credentials need to be provided again.

mod-login-saml >= 2.10.1 comes with a default of 8 hours for MAX_AUTH_LIFETIME. This environment variable affects all tenants. See https://github.com/folio-org/mod-login-saml#maximum-authentication-lifetime

The IdP's maximum authentication lifetime must be configured to be smaller or equal to mod-login-saml's maximum authentication lifetime. Otherwise the login attempt will fail with a "500 server error" if it falls into the gap between the two values, see MODLOGSAML-208.