Persistent Refresh Token behavior

Hi I am developing the web application now and want to make sure the behavior of the refresh token.

All under [Okta Authorization Server], from the token lifetime, if I set the application with persistent refresh token behavior, the default lifetime is 90 days, and I was wondering what will happen if the lifetime expired ? Does this refresh token become invalid and I need to do the oauth flow again ? Or like mentioned in this Persistent token risk, the server will provide the new refresh token? Thanks!

Whether Okta returns a new refresh token with a new access token depends on the refresh token lifetime setting. If the lifetime setting hasn’t expired, when a client makes a request for a new access token, Okta only returns the new access token. After the lifetime setting expires, Okta returns a new refresh token and a new access token.

Hi, is anyone from okta team can provide some insight on this ? Much appreciated!

My goal is to extend the lifetime of refresh token of Org Authorization Server.
The reason why I don’t use Custom Authorization Server is because I need some Org Admin Scope only used for Org Authorization Server.

Hence, if there’s a way to use Custom Authorization Server with Org Admin Scope then that’s great.

Has read this post, but under my test, the admin scope is not allowed for custom Authorization Server.

Not sure if @andrea can help with this. Thanks :pray:

Hi,
Okta API Scopes can’t be used with the custom Auth servers indeed. And you can’t customize the lifetime for Org Server.

Does this answer your question ?

1 Like

Yup, as @kulwch mentioned, the tokens issued by the Org auth server have a fixed lifetime, you can only adjust the lifetime for tokens issue by Custom auth servers.

Org Authorization Server lifetimes are laid out here: What Is the Lifetime of Okta Minted JSON Web Tokens(JWT) | Okta Help Center

Thanks @andrea and @kulwch , yes, I know the limitation about the lifetime is hard-coded for org authorization server. But I want to know if there is a way to get refresh token with flexible lifetime and accepts the custom scopes used for org authorization server?

Asking because I need a token to call management API so the scope like okta.users.read or other scopes are required. Therefore I choose Org Authorization Server in my implementation.

However, the lifetime for refresh token will make the reauthorization again every 90 days which is confusing to our customers.

Therefore, I would like to know if there’s a way / authorization server could both have flexible lifetime setting for refresh token and admin management scopes for access token at the same time?
Thanks !