<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base

Computing the Hash Value of a Refresh Token to Analyze Okta System Log Events

Last Updated:

API Access Management
Okta Classic Engine
Okta Identity Engine

Overview

OpenID Connect (OIDC) Applications in Okta allow end-user applications to obtain an optional Refresh Token that can be used to refresh the user's ID and Access Tokens. 

For security reasons, the raw Refresh Token value itself is not logged in Okta System Logs. Instead, the relevant events will log the hash value of the token in the System Log events as the target.detailEntry.hash, the value of which is the Base64 encoded SHA-256 hash of the raw Refresh Token string.

Applies To

  • OpenID Connect (OIDC)/OAuth 2.0 application
  • Refresh Token
  • System Logs
  • Okta Classic Engine
  • Okta Identity Engine (OIE)

Solution

To compute the same hash value of the Refresh Token Okta uses in the system logs, the raw value of the Refresh Token needs to be obtained from the application. Whether or not this value is easily accessible depends on the specific application/implementation.

For example, in public applications that use the okta-auth-js SDK, the Refresh Token value can be obtained by inspecting the network calls to the authorization server's token endpoint. Additionally, the value can be viewed in the browser's token storage or retrieved from the TokenManager API provided by the SDK.

Once the refresh token value is collected, complete the following steps:

  1. Generate the hash value, replacing <refreshToken> with the raw value of the Refresh Token.

    • Unix/MacOS

      echo -n "<refreshToken>" | shasum -a 256 | xxd -r -p | base64
    • PowerShell  
      [Convert]::ToBase64String([System.Security.Cryptography.SHA256]::Create().ComputeHash([System.Text.Encoding]::UTF8.GetBytes("<refreshToken>")))
    • Example:
      • The hashed value for a refresh token with a raw value of "zDfsxCWXNo0QE4MtMZ2TM1je2Ofkgis47rizYbbW2Bk" is "hFq1PH4oWPp8F6maiAzaXiCC6i6GbT5PHnKA77192tc="

  2. Use the following System Log query to find events related to this specific refresh token, replacing <hashedRefreshToken> with the output above.

    target.detailEntry.hash eq "<hashedRefreshToken>"
    • Example: 
      • target.detailEntry.hash eq "hFq1PH4oWPp8F6maiAzaXiCC6i6GbT5PHnKA77192tc="

 

Related References

Recommended content

Still looking for help?
Loading
Okta Support - Computing the Hash Value of a Refresh Token to Analyze Okta System Log Events