I am trying to refresh an access token before it expires for a Single Page Application using PKCE.
My understanding is that to refresh an access token I need to do the following:
-
Select ‘Authorization Code’ and ‘Refresh Token’ in our Okta Application ‘General Settings’
-
Call the Authorize endpoint to get a refresh token and a code
-
Pass the refresh token and code from step 2 to the Token endpoint to generate a new access token and new refresh token.
I have done steps 1 through 3 above and configured the Okta Sign-In Widget in our SPA following documentation with the configuration referenced below however the authorize request shown below doesn’t seem to contain the Auth Params I set (namely ‘code’ and ‘prompt’) and as a result only an accessToken and idToken parameter are returned and placed into the browser local storage okta-token-storage key. A refresh token and code are not placed into local storage. I have tried with Okta Sign-In widget v 3.9.1 and the latest v 4.2.2
Have I missed something in the configuration?
Authorize Request:
oktaConfig: {
clientId: ‘XXXXXXXX’,
issuer: ‘https://tw.oktapreview.com’,
redirectUri: ‘http://localhost:8080/implicit/callback’,
scope: ‘openid offline_access profile email’,
authorizeUrl: ‘https://tw.oktapreview.com/oauth2/v1/authorize’,
userinfoUrl: ‘https://tw.oktapreview.com/oauth2/v1/userinfo’,
prompt: ‘none’,
onAuthRequired: onAuthRequired,
onSessionTimeout: onSessionTimeout
}
widget = new OktaSignIn({
baseUrl: this.oktaConfig.issuer,
logo: ‘’,
language: ‘en’,
i18n: {
en: {
‘primaryauth.title’: ‘Please enter your credentials to login.’
},
},
features: {
rememberMe: false, // Setting to false will remove the checkbox to save username
},
authParams: {
pkce: true,
responseMode: ‘fragment’,
responseType: [‘code’, ‘token’, ‘id_token’],
}
});