I’m using the Okta React library and the refresh flow is completely broken. The autoRenew feature is also buggy and the library itself recommends to use getAccessTokenOrRefresh() for each request, disabling active refresh.
So I do this, I have setup my Authorization Server Access Policy to expire access tokens every 5 minutes for faster debugging. Refresh tokens are configured to expire every 10 minutes, or 8 if not used (which I don’t know what is the point of, what would I use a refresh token other than refreshing? Doesn’t that make the lifetime of the refresh token 8 minutes all the times?)
Back to the app, things work normally, until 4 minutes and 30 seconds, the Expired event is emmited because Okta React has it as a default to expire 30 seconds earlier. If I try to make a request then, getAccessTokenOrRefresh will start a refresh request to the /token endpoint and get the token as expected, using the refresh_token grant and everything works fine. But if 5 minutes and 1 second pass, the refresh request responds with 400 (Refresh token is expired or invalid). So I assume the Okta App configuration or the Access Policy Rule are not applying correctly to the refresh token lifetime.
I also logged all other events. after expiration, if I try to access the tokens, the ID token gets removed and immediately added back (I saw those events logged for the ID Token)
In the Okta react sample GitHub - okta/samples-js-react: React Auth SDK sample, if you just add the offline_access scope, you will be able to see the refresh token mechanism working fine. Can you take a look into the sample and then compare it with your integration to make the required modifications
I was already seeing the refresh token. I was using the “offline_access” scope. So that wasn’t the problem. But eventually I solved the issues. One of the problems was that my OktaAuth class was instantiated twice. I used singleton pattern to make sure it was not happening again. Another problem was that I confused the token lifetimes. In the dashboard, there were two parameters referring to refresh token lifetime: “refresh token lifetime” and “expires in X if not used”. It turns out if I wanted my refresh token to last 10 minutes and reset at every refresh, I had to modify “expires in X if not used”, not the “refresh token lifetime” parameter.
After these changes, and a few other improvements, everything was working fine. But I assume the biggest problem was that there were two OktaAuth instances that were somehow messing each other up behind the scenes and making me get 400 responses before it was time.