SushmaN.16620 (Customer) asked a question.
I am new to OKTA and have created an application using Native apps in OKTA. When making a request to generate a token using
URL: https://dev-xxxx.okta.com/oauth2/default/v1/token
Response : {
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "access token",
"scope": "openid offline_access profile",
"refresh_token": "Q96XZ8ZkjTMBhOJuv_prw77kdERo6LOCD9oLS3Lac6s",
"id_token":"token ID "}
So when making the same request again, the previous access ID is still active. I have tested the token using introspect
URL:https://dev-xxx.okta.com/oauth2/default/v1/introspect
Response:
{
"active": true,
"scope": "openid offline_access profile",
"username": "xxx",
"exp": 1591031057,
"iat": 1591027457,
"sub": "xxx",
"aud": "api://default",
"iss": "xxx",
"jti": "xxx",
"token_type": "Bearer",
"client_id": "xxx",
"uid": "00ubuu0c8vwpuMScG4x6"
}
When does the access token active become false?
Calling refresh_token also does not expire the previous access token
Thank you for contacting Okta Support.
API tokens are valid for 30 days and automatically renew every time they are used with an API request. When a token has been inactive for more than 30 days it is revoked and cannot be used again. Tokens are also only valid if the user who created the token is also active. Tokens issued by deactivated users are rejected. If the user account is reactivated, the API token is accepted with no other action required.
Refresh tokens have normally a very long expiration times relative to access tokens. Because refresh tokens are more valuable than access tokens they are usually only issued via the OAuth “Authorization Code Grant” flow.
When a token is created using an API flow a "expires_in" can be set to a specific number.
Here I attached a documentation link related to Okta APIs :
https://help.okta.com/en/prod/Content/Topics/Security/API.htm