Is autoRenew the same as Refresh token rotation?

I am using autoRenew which is enabled by default in the okta-auth-js library, which is called via the okta-react library. I was wondering if this is the same thing as refresh token rotation?

Yes and no.

If you have refresh token rotation configured for your Okta app integration and are successfully granting/storing refresh tokens in the token manager of your application, then autoRenew is indeed using that refresh token to renew access/id tokens, replacing the previous refresh token with a fresh one every time.

However, if there is no refresh token in your token manager (or you are running an older version of auth-js) then autoRenew will still fire by making a cookie-dependent OIDC call (without prompt) in an iframe.

So autoRenew is pretty dynamic/forgiving. But unless you have a refresh token in your token manager, it is not using refresh token rotation.


Thanks for the reply. I don’t have that enabled (I think I have to contact support to do so). autoRenew seems to work as expected which I presume is the cookie way of doing thing. I can see a network call made out to /authorize and /token every 5 minutes. However, I’m weary of browsers eventually not allowing cookies to be used this way. Currently I see “Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute” in the error list in Chrome dev tools. Like I said it still works but I am tried to get ahead of the possibility of our users one day being kicked out after 5 minutes and us then having to scramble to enable Refresh Token Rotation. Do you think it would be a good idea to implement this now? Is there any rush?

Good on you for thinking ahead! I don’t know if I’d say there’s a “rush” but IMO it’s definitely worth implementing - especially since the steps to implement are pretty basic. Essentially you enable refresh token rotation on the app integration in Okta, then make sure you add “offline_access” to the scopes in your /authorize call. Auth-js handles the rest.

One other thing to note - as of right now we are investigating a potential regression where the refresh token isn’t being rotated for v4.9+. So if you do decide to implement this, you may want to run auth-js 4.8 for the time being. You can follow the github issue here:


Excellent thanks, didn’t realize it was that straight forward. I thought I would have to retrieve the refresh token myself and pass it on.

I’m actually reliant on v4.9 because of this issue so I might hold off until the issue you linked is resolved.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.