Okta-auth-js autorenew with MFA

Questions
1

Hello,

We are currently using the okta-auth-js SDK for our angular app. We have set the autoRenew option to true so that access tokens for our users will be automatically renewed when nearing expiration. I have verified that the background timer is functioning properly and is sending the initial request to renew to the /authorize endpoint.

In our okta application sign on settings, we are requiring all users to be challenged for MFA. For now, we are requiring once a week.

When a user logs in and are prompted for the MFA challenge, they are presented with the option to don’t challenge for X days:

image

If they check this option, everything functions perfectly with autoRenew. If they DON’T check this option, the autoRenew process fails to get a new token. When a token is nearing expiration, the okta-auth-js service attempts to make a request to the /authorize endpoint but fails to get new access tokens. The response from the /authorize endpoint is a page that says either authentication is required or a successful challenge is needed.

I have verified this behavior when I don’t check this option. The very next API call I make to my service fails with a 401 because the new access token was never received.

Is this a known issue? Is there a workaround?

2

Are you requesting Refresh Tokens (with the offline_access scope)?

If not, autoRenew will attempt to get new tokens silently in an iframe with the getWithoutPrompt method, which involves setting the prompt parameter to none in the /authorize request made to Okta. This prevents Okta from being able to prompt the user for MFA

From what I can tell, you could either:

  • request the offline_access scope so that refresh tokens are retrieved and used by autoRenew to keep users logged in, but they will not be prompted for MFA (at least as far as I’m aware) for as long as their Refresh Token is active
    • after the RT expires, you’re likely going to see the same login_required failure when the SDK relies on the Okta session and getWithoutPrompt method to keep the user logged in, as described above
  • set autoRenew to false and instead handle token renewals yourself, but you will need to use getWithRedirect to ensure that the app redirects back to Okta to log the user (that way, they can be challenged for MFA)
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.