I have a Single Page Application (SPA) using Vue 2, and I’m using okta-vue 3.1 and okta-auth-js 4.9.2. The access token and the refresh token have the same expiration date in localStorage.
Additionally, when I authenticate, I can see the background token refresh happening. As long as the computer is on, I don’t need to re-authenticate. However, when I shut down the computer and restart it after the access token has expired, I have to re-authenticate, even though I have a refresh token with a 30-day validity period in the dashboard.
Is there a solution? Is there something specific I need to do to prevent this?
For the same expiration date of the access token and the refresh token, I understand why.
I still have the issue that after shutting down my PC and restarting it after the access token has expired, I have to reauthenticate
When you open the browser, before you access your application can you open the browsers dev console window and switch to the network tab. Then when you access your application do you see an attempt at a
/token request happen before you need to authenticate?
refresh_token expiration you see in the token storage will always be the same value as the
access_token. This value means nothing for the
refresh_token, it’s only added because the storage requires a value. The only way to know if a
refresh_token is still valid is by calling the authorization servers
/introspect endpoint with it.
For refresh tokens there are 2 parameters that control the lifetime.
- the lifetime which is a hard limit. The
refresh_token can never be valid longer then this time even when it is updated with a refresh grant
- the ‘but will expire if not used every X’ value.
If you have 30 days as the expiration, but the will expire if not used every is set to 2 hours. Then at any point where there is a 2 hour period where the
refresh_token is not used, it becomes invalidated regardless of the lifetime value.