Activation token expires immediately

Hi,

We have a custom user activation flow in our stack: our backend calls Okta to create the users via the API, and send the activation email with the same request. The users receives the email, is redirected to our frontend with the token, which is sent to our backend for validation (and to continue the reset password process). The issue is that often, the activation token sent via email is expired before the user can use it for the first time. It is quite frustrating, as its the first interaction with our app, and users often need us to send back an activation link for a second time so they can set their passwords.

The most plausible theory I have at the moment is that an update on the user’s profile invalidates already issued activation token. We create the user and send the link directly, but we trigger an event that updates one of the user’s fields asynchronously. Could that update invalidate the activation token somehow? This would also explain why the process is flaky, as sometimes the activation works directly, which would mean that our even updates the profile before the activation email.

activation link is only valid for a certain time. Are you seeing it’s being invalid right away or after a day or so?

It fails right away, without any wait. We create an account and try to activate it when we receive the email, and we get the error.

We are experiencing this issue as well. I wouldn’t say often, but about 5 out of 50 users. Did you find a resolution? I’m not sure your theory would hold because then you would experience this issue every time, not just sometimes.

I haven’t found the resolution yet. I have an open case with Okta support, but they haven’t been able to reproduce the issue. As you said, they tested my theory and it wasn’t the case. However the issue could have been flaky because of the asynchronous nature of our activation process.

The issue is that the System Log isn’t really helping (it’s been a while since I tested, not sure if it doesn’t show up or if it doesn’t give enough information). I really wish there was a way to have some kind of developer-oriented logging that would give helpful information.

Thanks for the follow up. Yeah, we are unable to reproduce on-demand and logging isn’t really helping. I suspect it does have something to do the custom implementation using api calls that somehow get hung up on the outgoing or incoming end which breaks the string of processes that has to happen for it to work. I’m curious do know if this every happens using the OKTA widget instead of custom api calls.