Getting 401 Unauthorized even though token should be valid

I have integrated my apps with Okta and App-A (through which I get token from Okta when user signs in) is calling API in App-B by passing the token.

This works for initial 20-30 minutes (token expiration is in 1 hour) but then I start getting 401 Unauthorized error which will only go away if the user logs out and logs back in.

Note: These are C# web apps.

Any idea what could be the issue?

Hi @jabber30,

This sounds like a possible clock-drift issue, where the system clock is drifting ahead by approximately 30 minutes. You should be receiving an error message with the 401 response code. Can you share that with us so we can help identify the root cause?

Hi @jmelberg
Thanks for your response. Actually, the reason was that if I try to refresh token AFTER it has expired, it returns the new token, but the state is ACTIVE : false. So I guess I should always try to refresh token before the original token’s expired.

Btw is that really true that you can’t refresh a token after it has expired?

Jay

@jabber30,

Tokens can be refreshed assuming you have one of the following:

  1. A refreshToken to pass to the /token endpoint
    • Using a long-lived refreshToken will allow you to mint new access and identity tokens when they expire. See refreshing tokens for more information.
  2. A valid SSO session within Okta
    • Depending on the OAuth grant you’re using (authorization code, implicit, or hybrid), you can leverage a user’s Okta session to mint new tokens by redirecting to the /authorize endpoint. Once the user’s session has expired, you’ll need to prompt for login again as tokens as this silent login flow will fail.

Can you double check your implementation to ensure you have a valid refreshToken or Okta session before making the request?

Hi @jmelberg

I think there has been some misunderstanding. I am able to refresh token as long as I refresh them before the token has expired. And I think your statement agrees with me " 1. * Once the user’s session has expired, you’ll need to prompt for login again as tokens as this silent login flow will fail."

Hi @jmelberg
I am actually having a different issue right now. Before I state that, here is my settings:
OAuthResponseType = code id_token
OAuthScopes = openid email profile address phone groups offline_access

At the launch of my app, the user is prompted with Okta login screen upon which I get the access token, refresh token and such. Once that is done, I keep monitoring the expiry time of the token, and 15 minutes before it is about to expire, I refresh the token.

What I found is that the refresh token logic works and it extends the expiry time by an hour, but about 5-15 minutes after getting the refreshed token, the ACTIVE status of the token starts returning false when I do the introspection with Okta.

Is there something I am missing? Did I provide enough information?

Thanks in advance,
Jay