Refresh token expiration

Hi,

I have a React SPA that uses Okta with the “refresh token rotation” feature enabled. Despite the current configuration (refresh token set to unlimited, but expires after 7 days), when the user authenticates, the expiration of the refresh token is the same as the access token expiration (set to 1 hour in my case).

This results in users being disconnected as they can go idle and come back after the access token is expired. Usually the refresh token would be used to regenerate an access token, but in my case the refresh token expires at the same time, resulting in the user logging out.

Is there any reason why the refresh token has the same expiration as the access token? How can I configure my application such that the refresh token has the correct expiration?

Thank you,

mathieuv

@mathieuv Can you please add a pic for your current configuration in Okta org?

@Lijia For tests purposes we switched to 5 minutes. Is this the configuration you were looking for?

Hey! Just wondering if anyone had information on my issue :slight_smile:.

What happens when you try to use the refresh token after 1 hour has passed? Do you see an error at the /token endpoint?

You may also want to try sending the refresh token to the introspect endpoint to check when it expires. Per the access rule your shared, provided your user is encountering it, the refresh token should have an ‘exp’ (returned at the introspect endpoint) that is 7 days from when the tokens were issued.

I see what you mean, the expiration I see in my local storage is not the same as the expiration I get when introspecting the refresh_token. I tried using the refresh_token after the access_token expiration and it works.

Which means I’m a bit at loss here… Do you have any other clue as to why users get disconnected when the access_token expires? In our experience, it looks like it happens consistently for users that have multiple tabs of our SPA open.

That seems odd. You do see that the initial token request for the application is coming back with a refresh token, right? Do you not see any attempts to get new tokens with a refresh token on any of the tabs?

Hi,

We are facing the same issue as mentioned above. Our current configuration is refresh token expiry set to unlimited ( but expires if unused for 7 days ).

We try to regenerate the access tokens every hour using the refresh token. But at some point, the refresh token expires all of a sudden although it is being used constantly every hour and as a result access token expires and is not regenerated and our customers face issues when the user authenticates.

Can you please let us know if we need to make any changes in our configuration so that the refresh token doesn’t expire as long as its constantly used.

Thanks,
Venkatesh

We are also having this issue, is there a solution?

Is it just that within our SDK the refresh token lists the wrong lifetime, or does the token itself also indicate an incorrect lifetime (when sent to /introspect)?

Hi @andrea,

How can I help confirm that? When using the SDK the expiration is set to 5 mins on the refresh token even though it is configured to unlimited in the configuration.

thanks

You can check local storage on your app for the tokens stored in the token manager and use the /introspect endpoint to check if the refresh token stored within has the correct lifetime or not.

If you wait 5 minutes (or whatever lifetime you have set for your access tokens), do you see any network calls to Okta’s /authorize or /token endpoints occur?

It looks like the refresh token is still valid and it is the Okta SDK that is setting the incorrect expiry time.

That’s good, that matches our expected behavior, and at this time the SDK is designed to report the access token lifetime as part of the refresh token lifetime when saving them to storage (more like meeting a requirement to store the token, not a value that is used by the SDK in any way)

You can check this : OpenID Connect & OAuth 2.0 API | Okta Developer ruby training

I hope this will help you.