Yes and no.
If you have refresh token rotation configured for your Okta app integration and are successfully granting/storing refresh tokens in the token manager of your application, then autoRenew is indeed using that refresh token to renew access/id tokens, replacing the previous refresh token with a fresh one every time.
However, if there is no refresh token in your token manager (or you are running an older version of auth-js) then autoRenew will still fire by making a cookie-dependent OIDC call (without prompt) in an iframe.
So autoRenew is pretty dynamic/forgiving. But unless you have a refresh token in your token manager, it is not using refresh token rotation.
Thanks for the reply. I don’t have that enabled (I think I have to contact support to do so).
autoRenew seems to work as expected which I presume is the cookie way of doing thing. I can see a network call made out to
/token every 5 minutes. However, I’m weary of browsers eventually not allowing cookies to be used this way. Currently I see “Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute” in the error list in Chrome dev tools. Like I said it still works but I am tried to get ahead of the possibility of our users one day being kicked out after 5 minutes and us then having to scramble to enable Refresh Token Rotation. Do you think it would be a good idea to implement this now? Is there any rush?
Good on you for thinking ahead! I don’t know if I’d say there’s a “rush” but IMO it’s definitely worth implementing - especially since the steps to implement are pretty basic. Essentially you enable refresh token rotation on the app integration in Okta, then make sure you add “offline_access” to the scopes in your /authorize call. Auth-js handles the rest.
One other thing to note - as of right now we are investigating a potential regression where the refresh token isn’t being rotated for v4.9+. So if you do decide to implement this, you may want to run auth-js 4.8 for the time being. You can follow the github issue here:
Excellent thanks, didn’t realize it was that straight forward. I thought I would have to retrieve the refresh token myself and pass it on.
I’m actually reliant on v4.9 because of this issue so I might hold off until the issue you linked is resolved.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.