Hi there,
I have a query regarding refresh token expiry time. Is refresh token expiry time extended once it is used to renew the access token successfully?
Let’s consider the following example,
Here is the configuration in Okta org
Access Token Expiry Time - 30 minutes
Refresh Token Expiry Time - 1 Hour
Refresh Token behavior - Rotate token after every use
Use case
At 9:00 AM, a user is able to log in successfully. With this, the access token is valid till 9:30 AM and the refresh token is valid till 10:00 AM. At 9:30 AM, the refresh token is used to renew the expired access token which will renew the refresh token also. With this, the access token is valid till 10:00 AM now. Here is the confusion. What will be the validity time of the new refresh token - 10:00 AM or 10:30 AM?
I have used Android Okta Java SDK (GitHub - okta/okta-oidc-android: OIDC SDK for Android). As per the sample provided in this SDK, the new refresh token is valid till 10:00 AM which is an issue. When the new refresh token is used to renew the access token again at 10:15 AM then it throws an error - Invalid-grant. The new refresh token should be valid for the next 1 Hour i.e. 10:30 AM. Please let me know if this behavior is as per the Okta design.
Any help will be greatly appreciated.