We are using okta-auth-js and okta-react libraries which seem to use cookies to auto renew access tokens. However, I have seen this new Refresh Token Rotation feature and was wondering by what date you’d recommend switching over to it? Is there a certain timeline that the current cookie method will no longer be supported in browsers?
The functionality for silent renewal (where the authorize call is made in an iframe, aka, the cookie method you mentioned) are heavily dependent on the individual browsers default settings and when they each decide that they will start blocking third party cookies (Safari and Chrome Incognito already do so).
We rolled out the Refresh Token Rotation feature, now Generally Available, to help with this issue and it is definitely our recommendation to move to it as soon as you are able to.
@andrea just one more question. The article you linked specifically calls out that this is only an issue for customer hosted sign in widgets. Does that mean it’s not an issue for those using the okta hosted sign in widget? Or is that separate to the autoRenewal feature found in the okta-auth-js library?
The FAQ mostly discusses that this issue crops up if you make a CORS request (that requires the session cookie be included) to Okta from a different domain than your Okta tenant. Even if you use the Okta hosted widget to handle the initial authentication, the silent auto-renewal done by the SDK will attempt to make the authorize call in an iframe, which causes the same issue as attempting any other CORS request from a separate domain.
The SDK’s autorenew functionality will use the token.getWithoutPrompt method that notes that it relies on third-party cookies, which is why we would recommend using refresh tokens to avoid running afoul of that browser security/privacy setting, as the SDK will instead call the /token endpoint (before falling back on silent renewal in an iframe), using the refresh_token instead of the session cookie to make the request.
The session cookie is called ‘sid,’ but you may find we set a few other cookies as well that are unrelated to session (with the exception of the cookies used to store tokens and oauth parameter information that the SDKs use).