How to refresh Device Secret

I currently refresh Access tokens and ID Tokens using the “refresh” token.

Is there a method or API that will allow for refreshing the “Device Secret” token that is returned when using the scope “device_SSO” ?

Hello,

No the device_secret will be returned for the original token call in the authorization flow.
This secret will be tied to the Okta session associated with the original request. As long as that session is still active the device_secret should still be active as well.

Thank You,

1 Like

Erik,

Which token is the Device Secret “life” / “expiration” based on?

Does it match the ACCESS TOKEN or the REFRESH TOKEN?

The customer I am working with has the REFRESH TOKEN set to 1 day, while the ACCESS TOKEN is 5 minutes.

The device_secret lifetime is associated with how long the Okta session (sid cookie) used to obtain the device_secret is valid for.

from:

Note: You can pass an expired ID token as part of the token exchange grant as long as the device_secret (sid ) that the id_token is associated with is still valid.

1 Like