We are encountering an issue that we cannot reproduce, when reaching the page implementing the widget (and on a browser where we already logged in once) we have this error :
I’m guessing that the error comes from the Okta-Auth SDK trying to use the access token but has expire (1 hour duration), but instead of displaying the widget and ask user to authenticate, it throws this error.
I’m not sure how to fix this, please tell me if you need more information about Okta configuration or code.
Have you tested in other browsers? Are only browsers that are blocking 3rd party cookies affected (e.g. Chrome Incognito and Safari with their default settings). After you enabled refresh tokens on the Okta admin console, did you also request the offline_access scope in your oktaAuth config?
This happens for all browser but not in incognito mode, as this issue happens when a use logged in once then waited for the access token to expire and when reaching the page it throws this error.
To correct what I said, I can’t manage to generate the error by revoking it with a postman (not doing anything). So we have to wait the token expires.
And yes we have the offline_access scope for oktaAuth
So it seems that we didn’t have the error this morning.
The token offline_access scope wasn’t configure at the right place. But now we are directly logged in Okta without accessing sign in page.
I think it’s normal as the refresh token is set to last 7 days, but the Okta session is configured to last 12 hours so the user should need to sign-in every 12 hours right ?
I’m not sure our tests were 12 hours appart so I prefer asking the behaviour here before waiting for tomorrow.
Access to the OIDC app is no longer dependent on the Okta session when you use refresh tokens. If the refresh token is being used, the Okta session expiring after 12 hours will not affect the users access to the application, only the refresh token lifetimes will matter.
So no, you should not see the users getting logged out after 12 hours provided your app is receiving and using the refresh tokens instead (you can check if it is by confirming in the browser that, upon token expiration, you only see requests to the /token endpoint (with the refresh token in the body) and there are no further requests to /authorize after the initial login.
