Okta Session lifetime overriding refresh token lifetime


I am seeing an issue after enabling the refresh token rotation feature where the user is being automatically signed out after 2 hours even though it’s set to unlimited and should only sign the user out if they have not used the app for 7 days:

I can see the refreshToken being set in session storage so it’s coming down fine, just signing the user out too soon.

I have I’m currently using these libraries:

okta-auth-js: v5.2.2
okta-react: v6.0.0

Any issues you are aware of that would cause this?


Try updating the AuthJS v5.2.3 and React v6.1.0 (which has AuthJS v5.2.3 as a dependency), as we released some fixes related to refresh tokens/auto renewal that may help you.

I don’t see why the Okta session lifetime would affect you as long as the refresh tokens are being requested, stored, and used. Let me know if updating your package(s) helps or not.

1 Like

Thanks @andrea, just upgraded so I will leave the app idle for 2.5 hours to see what happens. Unless there’s a faster way to verify it?

If you shorten your token lifetimes, the token autorenewal will occur faster. For my own testing, I use a custom authorization server configured to grant access tokens with the shortest lifetime possible (5 minutes) and use a token inline hook to also shorten my ID token lifetimes (default 1hr, I lower them to 5min as well).

If there’s concern for the org sign in policy as well, you could create a new policy with a higher priority than your existing policy that applies only to your test user to shorten the Okta session lifetime as well, but that may or may not be necessary if the refresh tokens are being used properly.

1 Like

Thanks. I upgraded but am now running into some issues with tests:

          Passed in oktaAuth is not compatible with the SDK, okta-auth-js version 5.x is the current supported version.

Strangely enough I don’t get this error when running locally via npm start , just when running npm test .

Also, just to confirm, do I need to have both okta-react and okta-auth-js installed? Or is just okta-react enough?

Interesting… might be worth clearing out node modules and reinstalling after the upgrade.

And yeah, just okta-react should be enough, and it will install the AuthJS version it needs anyway.

Thanks, I tried that alright and I can see the versions in my node_modules folder are correct but it still fails.

I just downgraded okta-react to 6.0.0 but stuck with okta-auth-js to 5.2.3 and the tests now pass. Do you reckon the fixes you mentioned will still be included into okta-auth-js 5.2.3 or would I still need to upgrade to okta-react 6.1.0 in order to get those?

EDIT: Do you reckon the fact this issue only occurs in my tests has anything to do with these changes? Should I also be skipping version checking within tests?

EDIT 2: Yep this was the issue, when I add the following it the tests work: "test": "SKIP_VERSION_CHECK=1 react-scripts test", Do you know if this breaking change is documented anywhere? Is this something I have to leave in?

Just updating AuthJS to 5.2.3 should fix it, since the only fix you really need from React V6.1.0 (for this issue) was its use of AuthJS v5.2.3

1 Like

Thanks. It looks like my original issue was caused by this change. Adding "SKIP_VERSION_CHECK=1 react-scripts test" to my own test script makes it work but I wonder if this is intentional?

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.