CindyY.30672 (Customer) asked a question.
Hi I am currently debugging an issue on our SPA with Okta login integration. Our app is an React App and we currently use these two libraries, okta-auth-js and okta-react, to integrate with Okta.
Issue/Behavior:
The user reported inconsistent behavior where the application would refresh on its own, but there isn't login required. Upon further debugging, below is what we know:
A. user was successfully authenticated already, ID token would not expire for an whole hour
B. 30 seconds before the Access token is expired, the okta-auth-js code fired the "/authorize" request to make sure user is authenticated and obtain an authorization code
C. upon receiving a success response of "/authorize", the okta-auth-js fired the next call "/token" along with the necessary params to get the new Access and ID tokens. We noticed this call was marked as Success (HTTP Status Code = 200) but its http response content was nothing (set-cookie:sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/)
D. Immediately the okta-auth-js notice the Access and ID tokens were null, so it fired a new "/authorize" call with redirect (302)
E. because the user was already authenticated, the user was not directed to the login page, instead user just experienced a page refresh, and lost all their work-in-progress on the application
Debugging:
-- This issue/behavior is not reproducable. we have to leave our application on over time, and monitor the network hopping to see the behavior
-- We make sure our browser does not block any 3rd party cookies. In fact from the network tab, we can confirm that the "authorize" and "/token" calls passed in all the necessary cookies
-- We have access to the Okta Admin console. In the Admin system log, we used the "x-okta-request-id" to trace the log messages for the "/authorize" and "/token" requests, everything was marked as success, and in the log we could even see the new Access Token expiration time. However on the client side (browser), we received no response content
We are currently stuck in this issue, not knowing what to do in order to improve our user experience when this inconsistent behavior happen. We want to know:
Q1: has anyone experienced this kind of issue in the past? If so, what's the reason that the client side received a null response on the "/token" call?
Q2: is this sound like a bug more than a normal behavior based on your experience?
Q3: do you have any recommendation or approach for our engineer to try or debug further? How could we tackle this issue?
Many thanks for you time in reading our questions.
Regards,
Cindy
@CindyY.30672 (Customer)
I try it by postman. get the code from chrome:
https://freelink.oktapreview.com/oauth2/v1/authorize?client_id=0oa5nwi9q2Q1fKTWc1d7&response_type=code&response_mode=query&scope=openid%20email%20profile&redirect_uri=http://localhost:8080/authorization-code/callback&state=abc-efgd-tets-okta&nonce=a9041762-aa0b-4432-9690-3558eae13d8c
then get the access token and ID_Token
but I still not understand why not get access token from every resource. it can do MFA when call /authorize, It's more secure.