707ex (707ex) asked a question.
I'm trying to understand the way token expirations/refreshes are expected to work because the behavior I'm seeing does not match what the documentation seems to convey. Any clarification would be greatly appreciated.
My understanding is that as long as a refresh token is active, the access token can be refreshed, even if the access token has already expired. Is this correct?
Our refresh token is set in the dashboard to be unlimited (if used once every 7 days I believe), but its expiration time always comes back as the same as the access token. Is that because of the limitation in parsing refresh tokens mentioned here or is there something else at play? https://support.okta.com/help/s/article/Okta-Refresh-Token-Lifetime-Does-Not-Match-Whats-Configured-on-the-Authentication-Server?language=en_US
The crux of our issue is that renewing the access token after its expiration works for about the first 45 seconds, but any later than that and the call returns an error.
As mentioned, in our test environment we currently have the refresh token expiration set to unlimited, and the access token expiration set to ~5 minutes. When the access token expires, we display a modal to the user asking if they want to continue their session. If they select no or take no action (we have a countdown timer that starts at 5 minutes), then they are logged out. If they select to continue the session, we renew the access token and dismiss the modal. The renew works fine for the first ~45 seconds or so after the access token expiration. If the user tries to renew a token after approximately 45 seconds though, then we get an error from Okta saying the access token is invalid. Formerly, we were refreshing the access token while it was still active (using expireEarlySeconds in the tokenManager config). That has since been made a dev only attribute, so we're utilizing the access token's true onExpired broadcast to trigger all of our logic to prompt the user to continue/logout.
We call renew like this oktaAuth.tokenManager.renew('accessToken')
However, here (https://developer.okta.com/docs/guides/refresh-tokens/main/*renew-access-and-id-tokens-with-spas) it mentions "To refresh your access token and an ID token, you send a token request with a grant_type of refresh_token" (although this is for a direct POST call and not through the provided Okta React classes. Is there something else I'm missing here to correctly refresh the access token?
Hi Nick!
Are you seeing that the refresh token lists the same expiration time as the Access Token when using one of our front-end SDKs to request and store the tokens in tokenManager? If so, thats a bit of a red herring. The token storage that our AuthJS library uses requires that an expiresAt time be set for each token, but without introspecting the token (which would require the SDK to make a potentially undesirable network call to Okta) the best it can do is say that it will expire at the same time as the Access Token. When the library sees that the Access Token needs to be renewed, the Refresh Token will automatically be renewed as well (since in Auth Code flow, all tokens are returned from a single OIDC flow)
Are you setting the expireEarlySeconds to a value different from the default 30 seconds? Its possible that the tokens have expired before the user responded to your application's prompt to renew their session, thus resulting in the tokens being cleared from storage and therefore the refresh token is not available for renewal at that time.
You may want to monitor not just the on expired event, but also the on renewed and on removed events, https://github.com/okta/okta-auth-js#tokenmanageronevent-callback-context, to check when the tokens are getting cleared.