Persistent Refresh Token behavior

mikechiu1012 · July 11, 2024, 9:36am

Hi I am developing the web application now and want to make sure the behavior of the refresh token.

All under [Okta Authorization Server], from the token lifetime, if I set the application with persistent refresh token behavior, the default lifetime is 90 days, and I was wondering what will happen if the lifetime expired ? Does this refresh token become invalid and I need to do the oauth flow again ? Or like mentioned in this Persistent token risk, the server will provide the new refresh token? Thanks!

Whether Okta returns a new refresh token with a new access token depends on the refresh token lifetime setting. If the lifetime setting hasn’t expired, when a client makes a request for a new access token, Okta only returns the new access token. After the lifetime setting expires, Okta returns a new refresh token and a new access token.

mikechiu1012 · July 17, 2024, 3:38am

Hi, is anyone from okta team can provide some insight on this ? Much appreciated!

mikechiu1012 · July 18, 2024, 7:41am

My goal is to extend the lifetime of refresh token of Org Authorization Server.
The reason why I don’t use Custom Authorization Server is because I need some Org Admin Scope only used for Org Authorization Server.

Hence, if there’s a way to use Custom Authorization Server with Org Admin Scope then that’s great.

Has read this post, but under my test, the admin scope is not allowed for custom Authorization Server.

Not sure if @andrea can help with this. Thanks

kulwch · July 18, 2024, 2:15pm

Hi,
Okta API Scopes can’t be used with the custom Auth servers indeed. And you can’t customize the lifetime for Org Server.

Does this answer your question ?

andrea · July 18, 2024, 3:04pm

Yup, as @kulwch mentioned, the tokens issued by the Org auth server have a fixed lifetime, you can only adjust the lifetime for tokens issue by Custom auth servers.

Org Authorization Server lifetimes are laid out here: What Is the Lifetime of Okta Minted JSON Web Tokens(JWT) | Okta Help Center

mikechiu1012 · July 19, 2024, 12:56am

Thanks @andrea and @kulwch , yes, I know the limitation about the lifetime is hard-coded for org authorization server. But I want to know if there is a way to get refresh token with flexible lifetime and accepts the custom scopes used for org authorization server?

Asking because I need a token to call management API so the scope like okta.users.read or other scopes are required. Therefore I choose Org Authorization Server in my implementation.

However, the lifetime for refresh token will make the reauthorization again every 90 days which is confusing to our customers.

Therefore, I would like to know if there’s a way / authorization server could both have flexible lifetime setting for refresh token and admin management scopes for access token at the same time?
Thanks !

andrea · August 6, 2024, 4:35pm

I can’t think of a way around this, as only the Org Authorization Server supports scopes like okta.users.read and these tokens have a limited, and uncustomizable, lifetime.

system · September 5, 2024, 4:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Post		Replies	Views
Refresh token lifetime OAuth/OIDC api	6	7709	January 18, 2022
Change the Org Authorization Server Policy/Rules API	4	1990	February 13, 2024
Refresh Token bugged OAuth/OIDC react , authjs	3	47	October 27, 2024
The grant was issued for another authorization server & how long do refresh tokens last? Questions	5	6255	April 5, 2019
How to auto-refresh Okta session based on issuance of refresh token? OAuth/OIDC api , java , angular	2	5144	September 7, 2022

Persistent Refresh Token behavior

Related topics