[Due for payment 2026-07-21] [$500] [Mobile] Okta SSO requires double login after idle timeout — app freezes on SAML session handoff
Expensify/App
Description
If you found this issue via BugZero, please follow the BugZero triage guidelines in the wiki article [here](https://github.com/nickmac-expensify/App/blob/main/contributingGuides/BUGZERO.md). In particular: - Populate the `Version Number` field (you can find this in the [App Deployer](https://www.expensify.com/tools?action=deployer#checks) or [GitHub Releases](https://github.com/Expensify/App/releases)) and change the template title. - If the bug is a result of a regression, label with `Regression` and add the `Original Author - @<author>` and `Regression Author - @<author>` labels after determining the source of the regression (you can use `git bisect`). - If unable to reproduce the bug, consider labeling with `Needs Investigation` and tagging relevant engineers. --- **Action Performed:** 1. Log into Expensify mobile app via Okta SSO 2. Leave app idle for ~3–4 hours (aligned with Okta global session idle timeout) 3. Return to app 4. Complete Okta re-authentication + MFA in the in-app browser 5. Tap "Done" on in-app browser to return to the app **Expected Result:** User is successfully authenticated and returned to the app with a persisted session — no additional login required. **Actual Result:** App freezes briefly after returning from the in-app browser, then logs the user out and redirects to the Expensify login screen. User must log in a second time (including Okta MFA). The second login works as expected. **Workaround:** User can log in a second time — the second attempt always succeeds. **Platforms:** Which of our officially supported platforms is this issue occurring on? - [x] iOS - [x] Android - [ ] Desktop - [ ] Web - [ ] Mobile Web (Chrome) - [ ] Mobile Web (Safari) **Version Number:** Latest (reported on 9.3.39-3+ and still occurring) **Reproducible in staging?:** Unknown **Logs:** N/A **Notes/Photos/Videos:** ### Additional Context - **Auth method:** Okta SSO (SAML) - **Okta session policy:** Max session 8 hours, idle timeout 4 hours - **Scope:** Affects all mobile app users in this organization; NOT reproducible on desktop - **Behavior is unique to Expensify** — not occurring with other Okta-integrated mobile apps (Gmail, Slack, Zoom) ### Technical Context from Investigation on Expensify/Expensify#613615 The mobile SAML re-authentication flow relies on a multi-redirect chain that passes a 1-minute `shortLivedAuthToken` back to the app via a Universal Link / deep link. When the app is backgrounded or in a transitional state during this handoff, the token can expire or the deep link can fail to fire, causing the first login attempt to silently fail. Several server-side fixes have already been merged (Auth \#19751, Web-Expensify \#50652) addressing `samlInfiniteMobileSessions` flag preservation. However, the client-side handling of the SAML deep link callback when the app is resuming from a backgrounded state needs investigation — this is likely where the mobile-specific failure occurs. Key areas to investigate in the App: - How does the React Native app handle receiving a SAML deep link callback (`isSAML=true`) when it has an expired session? - Is there a race condition between the in-app browser closing and the deep link being processed? - Does the app correctly handle the `shortLivedAuthToken` exchange when resuming from background? **Upstream issue:** https://github.com/Expensify/Expensify/issues/613615 <details><summary>Issue Owner</summary>Current Issue Owner: @thelullabyy</details> <details><summary>Upwork Automation - Do Not Edit</summary> <ul> <li>Upwork Job URL: https://www.upwork.com/jobs/~022038834681163684626</li> <li>Upwork Job ID: 2038834681163684626</li> <li>Last Price Increase: 2026-06-16</li> <li>Automatic offers: </li> <ul> <li>thelullabyy | Reviewer | 111894633</li> </ul></li> </ul> </details>