Refresh token expiry time not extended after renew

Hi there,

I have a query regarding refresh token expiry time. Is refresh token expiry time extended once it is used to renew the access token successfully?

Let’s consider the following example,

Here is the configuration in Okta org
Access Token Expiry Time - 30 minutes
Refresh Token Expiry Time - 1 Hour
Refresh Token behavior - Rotate token after every use

Use case
At 9:00 AM, a user is able to log in successfully. With this, the access token is valid till 9:30 AM and the refresh token is valid till 10:00 AM. At 9:30 AM, the refresh token is used to renew the expired access token which will renew the refresh token also. With this, the access token is valid till 10:00 AM now. Here is the confusion. What will be the validity time of the new refresh token - 10:00 AM or 10:30 AM?

I have used Android Okta Java SDK (GitHub - okta/okta-oidc-android: OIDC SDK for Android). As per the sample provided in this SDK, the new refresh token is valid till 10:00 AM which is an issue. When the new refresh token is used to renew the access token again at 10:15 AM then it throws an error - Invalid-grant. The new refresh token should be valid for the next 1 Hour i.e. 10:30 AM. Please let me know if this behavior is as per the Okta design.

Any help will be greatly appreciated.

Hello Anshh,

There are 3 values to take into account,

  • Access token lifetime
  • Refresh Token lifetime
  • but will expire if not used every

The Refresh Token lifetime is a concrete value no matter how many times it is used. This value will not extend. If you want to allow a refresh token to keep getting a new access token and extend as long as it is used once an hour, you would set:

  • 30 min
  • unlimited
  • 60 min

This refresh token will never expire as long as it is used once every 60 minutes. If 60 minutes go by where it is not used it will become invalidated.
Often you won’t use unlimited but rather 24 hours to force a login at least once a day, or 7 days to force it once a week, etc for the but will expire if not used every value.

1 Like

Hi Erik,

Thanks for the quick response. This information is very helpful for me.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.