IP evaluation occurs only during the primary authentication flow. Once a user successfully authenticates from an allowed IP, subsequent refresh token requests bypass IP checks because trust has already been established through the session.

• OpenID Connect (OIDC)
• Authentication Policy
• System logs

IP evaluation occurs only during the primary authentication flow

For instance:

1. The user successfully authenticates to the app as the requirements are met and coming from the correct IP.
2. The app sends refresh token requests to Okta from the Network IP.
3. When the user logs off the VPN, the app continues to send refresh token requests under the user's personal IP.
4. Since the user had already established a session in the browser, Okta trusts these requests.

Once the user authenticates from an authorized IP, the refresh token requests do not check/evaluate for IPs. This is because the IP evaluation is done at the initial authentication step.

After inspecting syslogs, the following event might be seen coming from an IP that the app authentication policy should not allow.

Event Info: User Single Sign on to app 

(RequestUri: /oauth2/***/v1/token

Target: OpenID Connect Client

Grab the Request ID for one of these events, as these are usually associated with:

• OAuth2 access token is granted.
• OAuth2 ID token is granted
• OAuth2 refresh token is granted.
• User single sign-on to the app.

This is expected behavior 

Related References

• How to Find x-okta-request-id in Network Logs or Okta System Logs
• Network Restrictions for OAuth Token Endpoint