Possible bug: AuthorizationException

Stephan · May 18, 2026, 11:57pm

We have an issue with the AuthorisationException for token refresh: in our view, it is thrown too quickly, for example even in the case of connection problems or 500 server errors. Our apps have always responded to an AuthorisationException by logging the user out, as we assumed that an AuthorisationException represents an authorisation error that must be resolved by logging out. We believe that, for example, a connection problem or a 500 error represents a temporary error that should under no circumstances be responded to with an AuthorizationException, as this is misleadingly interpreted as a reason to log the user out. We have now fixed the problem by checking the cause in the AuthorizationException and evaluating it accordingly. We only log the user out if it is a genuine authorisation error. Otherwise, we have now introduced a ‘stale state’, which indicates a temporary problem, for example, but keeps the user logged in.
The issue can be easily replicated using Airplane Mode on Android or iOS: if we try to refresh the page whilst in Airplane Mode, we immediately get an AuthorizationException.

Our question is: would it perhaps make sense to extend Okta’s exception handling so that we receive different exceptions that distinguish between various types of authentication failure? Do you perhaps have another suggested solution that we are not yet aware of?

We have at least fixed the bug so that we generate four different exceptions following the evaluation of AuthorizationException: TemporaryRefreshFailureException, ProtocolRefreshFailureException, UnknownRefreshFailureException and SessionInvalidRefreshFailureException, although only SessionInvalidRefreshFailureException represents a genuine authentication error for us.

We would be grateful for a reply; thank you in advance.

Noya · May 19, 2026, 8:37am

This should be the reference to the code in the library that deliver the exception:

github.com/okta/okta-oidc-android

library/src/main/java/com/okta/oidc/net/request/TokenRequest.java

c60ccc3cb


      
              params.put("client_id", client_id);
              params.put("grant_type", grant_type);
              params.put("redirect_uri", redirect_uri);
              params.put("code_verifier", code_verifier);
              params.put("code", code);
              params.put("nonce", nonce);
              return params;
          }
          
          @Override
          public TokenResponse executeRequest(OktaHttpClient client) throws AuthorizationException {
              HttpResponse response = null;
              TokenResponse tokenResponse;
              try {
                  response = openConnection(client);
                  JSONObject json = response.asJsonWithErrorDescription();
                  if (json.has(AuthorizationException.PARAM_ERROR)) {
                      try {
                          final String error = json.getString(AuthorizationException.PARAM_ERROR);
                          throw AuthorizationException.fromOAuthTemplate(
                                  AuthorizationException.TokenRequestErrors.byString(error),

krishna · May 26, 2026, 10:42am

Hey, thanks for asking this question,

I checked the error shapes, if you are referring to the file shared by Noya on okta-oidc-android, but a bit of background on your SDK versions will help us give you the right guidance.

Given the pattern okta-oidc-android is now legacy architecture, we don’t have active plans for overhauls in it for now, we do however actively work on okta-mobile-kotlin from what we learned from our customers which isn’t a drop-in replacement but a better architecture for mobile authentication overall. You might want to migrate if you are using legacy as a best first step.

Please raise a GH issue in okta-mobile-kotlin, we have the devs actively triaging issues and if taken up, the fix will be in the next release cycle.

Post		Replies	Views
Handle AuthorizationException from LoginActivity - Android Questions	1	4614	March 1, 2019
No authorization configuration available for refresh request okta Questions	4	4557	May 13, 2019
Persistent OAuth 2.0 Token Expiration and Login Failures on My Culver Menu Website Using Okta OAuth/OIDC	2	84	February 25, 2026
Invalid grant and The refresh token is invalid or expired OAuth/OIDC vue , oauth , authjs	10	5441	July 22, 2024
Authorization Error : Error Code 9 : Response state param did not match request state Questions	2	5377	May 9, 2022

Possible bug: AuthorizationException

Related topics