Whether Okta returns a new refresh token with a new access token depends on the refresh token lifetime setting. If the lifetime setting hasn’t expired, when a client makes a request for a new access token, Okta only returns the new access token. After the lifetime setting expires, Okta returns a new refresh token and a new access token.
I have problems even understanding this statement. If the lifetime hasn’t expired, I don’t get new refresh token. However, after its lifetime expires, it is no longer valid, and the request gets rejected.
Doing /v1/token request every 10 seconds. It works for 10 minutes, always returns new access token but the same refresh token. After 10 minutes the refresh token expires and I can no longer access the endpoint at all.
I also don’t want to rotate refresh token after every use.
If this screenshot is for the configuration you were testing against, then the fact that you were no longer able to use your refresh token after 10 minutes makes complete sense.
The first option for the refresh token lifetime, AND Refresh token lifetime is 10 Minutes represents its max lifetime. Once the refresh token’s max lifetime has been reached, you will no longer be able to use that token to renew tokens and the user to which that token was issued will be required to re-authenticate with Okta.
The second option for the refresh token lifetime, but will expire if not used every 5 Minutes represents its idle lifetime. When the refresh token is issued, its expiration will be set to 5 minutes, which can be confirmed by sending the refresh token to the /introspect endpoint. If it is not used within that 5 minute period to request new tokens, it will expire and the user will need to re-authenticate with Okta. If it is used within that 5 minute period, the same refresh token string will be returned back to you (unless you have enabled refresh token rotation, in which case you will receive a new refresh token string), with a new expiration set for it set to 5 minutes from the time it was refreshed. However, its expiration cannot exceed the max lifetime set.
After the lifetime setting expires, Okta returns a new refresh token and a new access token.
And is it not possible to get a new refresh token when the existing (still valid one) is near its expiry time? We don’t need to rotate refresh token after every single request (and prefer not to), but we do want to get a new refresh token once in a while. Is that not possible?
Ahh, I see what you’re saying. That bit of the docs is a bit conflicting. I’ve put a request into our docs team to get this updated so the behavior is more clear.
You should be able to still get a refresh token up to its maximum lifetime, AND Refresh token lifetime is 10 minutes, but its expiration can never exceed the max lifetime. So if your user originally logged into this application 4 minutes ago and received a refresh token (but will expire if not used every 5 minutes), they can use that refresh token to get new access tokens.
They can keep doing this up until the refresh token maximum lifetime is reached (10 minutes since the originally authenticated through Okta). At that 10 minute mark, their refresh token is no longer valid and they will need to re-authenticate through Okta (e.g. the application needs to call /authorize to start a new OIDC flow).
If you want your users to be able to stay logged into your application without needing to authenticate with Okta again (as per your app’s/org’s sign on policies) for longer, then you would want to increase the AND Refresh token lifetime is value. For example, if your users expect to be able to access the app for a full day without needing to re-authenticate, you could set that max lifetime to 24 hours. The refresh token would still expire if it hasn’t been sent to Okta every 5 minutes, but if they are active within the application/the application is keeping them logged in by refreshing their tokens, they wouldn’t need to reauth as frequently.
