isAuthenticated check in Okta react (and other packages possibly) is erroneous

Here is in check for isAuthenticated in https://github.com/okta/okta-oidc-js/blob/3e658c8d4d909f29fa8971fe654018ffe50380e3/packages/okta-react/src/Auth.js#L63 :

async isAuthenticated() {
// If there could be tokens in the url
if (location && location.hash && containsAuthTokens.test(location.hash)) return null;
return !!(await this.getAccessToken()) || !!(await this.getIdToken());
}

The function only checks to see if the AccessToken or IdToken are present in local storage (in most cases this is the path). But does not actually check the validity of the tokens. Essentially, this means if I manually populate the localStorage with some invalid tokens in the schema specified by okta-token-storage, it will return true, that is the user is Authenticated. This makes certain components like SecureRoute unusable, because the secure route is essentially not secure since it calls isAuthenticated() in the underlying implementation.

This is a possible explanation for the other bug posted: JwtParseError: Jwt is expired and isAuthenticated is always returning true.

If you want more visibility for this issue, I’d suggest entering as a bug in the okta-oidc-js GitHub project.