Refresh token expiration

mathieuv · February 19, 2021, 4:29pm

Hi,

I have a React SPA that uses Okta with the “refresh token rotation” feature enabled. Despite the current configuration (refresh token set to unlimited, but expires after 7 days), when the user authenticates, the expiration of the refresh token is the same as the access token expiration (set to 1 hour in my case).

This results in users being disconnected as they can go idle and come back after the access token is expired. Usually the refresh token would be used to regenerate an access token, but in my case the refresh token expires at the same time, resulting in the user logging out.

Is there any reason why the refresh token has the same expiration as the access token? How can I configure my application such that the refresh token has the correct expiration?

Thank you,

mathieuv

Lijia · February 19, 2021, 5:05pm

@mathieuv Can you please add a pic for your current configuration in Okta org?

mathieuv · February 22, 2021, 11:12am

@Lijia For tests purposes we switched to 5 minutes. Is this the configuration you were looking for?

mathieuv · February 25, 2021, 9:25am

Hey! Just wondering if anyone had information on my issue .

andrea · February 25, 2021, 9:24pm

What happens when you try to use the refresh token after 1 hour has passed? Do you see an error at the /token endpoint?

You may also want to try sending the refresh token to the introspect endpoint to check when it expires. Per the access rule your shared, provided your user is encountering it, the refresh token should have an ‘exp’ (returned at the introspect endpoint) that is 7 days from when the tokens were issued.

mathieuv · February 26, 2021, 9:56am

I see what you mean, the expiration I see in my local storage is not the same as the expiration I get when introspecting the refresh_token. I tried using the refresh_token after the access_token expiration and it works.

Which means I’m a bit at loss here… Do you have any other clue as to why users get disconnected when the access_token expires? In our experience, it looks like it happens consistently for users that have multiple tabs of our SPA open.

andrea · March 2, 2021, 8:02pm

That seems odd. You do see that the initial token request for the application is coming back with a refresh token, right? Do you not see any attempts to get new tokens with a refresh token on any of the tabs?