I am seeing an issue after enabling the refresh token rotation feature where the user is being automatically signed out after 2 hours even though it’s set to unlimited and should only sign the user out if they have not used the app for 7 days:
Try updating the AuthJS v5.2.3 and React v6.1.0 (which has AuthJS v5.2.3 as a dependency), as we released some fixes related to refresh tokens/auto renewal that may help you.
I don’t see why the Okta session lifetime would affect you as long as the refresh tokens are being requested, stored, and used. Let me know if updating your package(s) helps or not.
If you shorten your token lifetimes, the token autorenewal will occur faster. For my own testing, I use a custom authorization server configured to grant access tokens with the shortest lifetime possible (5 minutes) and use a token inline hook to also shorten my ID token lifetimes (default 1hr, I lower them to 5min as well).
If there’s concern for the org sign in policy as well, you could create a new policy with a higher priority than your existing policy that applies only to your test user to shorten the Okta session lifetime as well, but that may or may not be necessary if the refresh tokens are being used properly.
Thanks, I tried that alright and I can see the versions in my node_modules folder are correct but it still fails.
I just downgraded okta-react to 6.0.0 but stuck with okta-auth-js to 5.2.3 and the tests now pass. Do you reckon the fixes you mentioned will still be included into okta-auth-js5.2.3 or would I still need to upgrade to okta-react6.1.0 in order to get those?
EDIT: Do you reckon the fact this issue only occurs in my tests has anything to do with these changes? Should I also be skipping version checking within tests?
EDIT 2: Yep this was the issue, when I add the following it the tests work: "test": "SKIP_VERSION_CHECK=1 react-scripts test", Do you know if this breaking change is documented anywhere? Is this something I have to leave in?
Thanks. It looks like my original issue was caused by this change. Adding "SKIP_VERSION_CHECK=1 react-scripts test" to my own test script makes it work but I wonder if this is intentional?