Redundant /oauth2/default/v1/authorize calls, triggered by Okta

During consideration of https://developer.okta.com/docs/reference/rl-clientbased/ Okta’s feature we noticed, that occasionally one of our applications, integrated with Okta triggers redundant “/oauth2/default/v1/authorize” calls after some time after user authenticates, up to 8-10 with the following interval:

2024-03-04T16:35:46.740Z
2024-03-04T16:35:46.730Z
2024-03-04T16:35:46.733Z
2024-03-04T16:35:46.727Z
2024-03-04T16:35:46.783Z
2024-03-04T16:35:46.659Z
2024-03-04T16:35:46.730Z

We integrated using https://developer.okta.com/docs/guides/implement-grant-type/authcodepkce/main/*authorization-code-with-pkce-flow.

Meanwhile during troubleshooting, when authorizing and obtaining access and id token via UI, our client applications trigger just appropriate amount of calls & successfully obtain required tokens.

Can you please advice, what can be the cause of those redundant calls, triggered by Okta libraries ?

Which Okta libraries are you using?

We use following Okta libraries:
on Client side (javascript React application):
1 “@okta/okta-react@^5.1.1”:
version “5.1.2”
resolved “https://registry.npmjs.org/@okta/okta-react/-/okta-react-5.1.2.tgz
2 “@okta/okta-auth-js@^4.8.0”:
version “4.9.2”
resolved “https://registry.npmjs.org/@okta/okta-auth-js/-/okta-auth-js-4.9.2.tgz
3 “@okta/okta-signin-widget@^5.5.3”:
version “5.14.0”
resolved “https://registry.npmjs.org/@okta/okta-signin-widget/-/okta-signin-widget-5.14.0.tgz

And on back-end side (java service, fully separate from JS application):

  1. okta-spring-boot-starter (version ‘2.1.3’)
    ±-- com.okta.spring:okta-spring-security-oauth2:2.1.3
    ±-- com.okta.commons:okta-config-check:1.2.8
    ±-- com.okta.commons:okta-commons-lang:1.2.8
  2. com.okta.spring:okta-spring-sdk:2.1.3

How were you able to determine that these extra calls were occurring? Were you just seeing them in the browser network events? Do they only happen when the user first hits the application, only during renewal, or any time when the user does not have valid tokens available in the application?

How were you able to determine that these extra calls were occurring? ← we noticed these excessive Okta calls in Okta’s own logs (during preliminary to enabling CBRL feature analysis).
These aforementioned redundant Okta calls get triggered after some time (2-5 hours) of user inactivity, meanwhile when a user authenticates / authorizes via UI, our client application (integrated with Okta) triggers appropriate / expected calls.

Could these additional /authorize requests be related to a failed token renewal, where your app keeps trying to authorize the user (because they are not authenticated) even though the renewal is failing?

Obviously, this would be easier to investigate if this is something you have managed to reproduce yourself.