AutoRenew on React SPA

Hello,

I am currently integrating Okta in a React SPA. I am using Okta’s react package. I have succeeded in implementing an authorization code flow in order to login the users. However I can’t seem to figure out how to refresh the tokens silently.
My current situation is that when a token expires (or reaches the expiration - expireEarlySeconds), isAuthenticated is called, then onAuthRequired is called and I get redirected to my login page. The following error messages displays in the console before isAuthenticated is called:
error.errorCode: login_required, error.description: The client specified not to prompt, but the user is not logged in.

Is the error saying that I tried to refresh the tokens but it didn’t work? How can I fix this?

Thanks,

mathieuv

I don’t remember where exactly, but it’s been discussed here already. Try to search for it

I don’t know if you’re talking about this post How to refresh a token silently without redirect from SPA ?
Sorry but I don’t really find my answer in this.

When the token expires, I don’t see any requests being made in the network tab, only the error in the console. Also, I am unsure on how it actually works. From what I see on different topics it should be calling /authorize, but I only see calls to api/v1/authn.
edit1:
I do see a call to /authorize with a HTTP 200, however there is nothing in the body of the response.
edit2:
Nevermind. It’s a problem with 3rd party cookies. The request doesn’t work on Chrome, but it does on Firefox.

Thanks,

mathieuv

@mathieuv Can I ask if the root cause is the 3rd party cookies is not enabled in your Chrome? And your Firebox enabled the 3 party cookies right?

I just checked my settings and it turns out it’s only the incognito mode that had 3rd party cookies disabled. I checked in normal mode and it worked correctly.
Nevertheless it’s still a behaviour that I would like to avoid, so I followed the advice on custom domains in this Okta blog post, so I don’t get surprises on eventual 3rd party cookies changes in the future.

@mathieuv That makes sense. If the 3rd party cookies is not enabled in the browser, you will see the issue. However, if you do not want to manually enabled this cookies, custom domains is the workaround for now.