Refresh token has same expiration as accessToken and idToken

I’ve been noticing lately that my refresh token has the same expiration time as my access and id tokens.

Our app is a React single spa (micro front ends). Okta app is OIDC app using Authorization Code with PKCE.


Any idea why this might happen?

Hello gbulmer,

How are you getting the expiration of the refresh token? Are you using the browser developer console to view the token storage? If so that value is not the true value of the expiration but is just filled in by the SDK. in order to check validity use the /introspect endpoint.
The auth-js sdk will not use the value it stores for the expiry of the refresh token, rather it will attempt to refresh tokens with the current refresh token. If the call fails then the refresh token has expired or has been revoked.

Where are you seeing the refresh token having the same expiration data as the access token and ID token? Is it when the tokens get stored in the tokenManager when using our SDKs? If so, that value does not accurately document the actual expiration of the refresh token and is only added because it is required to store the token.

If you send the refresh token to its introspect endpoint, does it appear to still be valid after 1hr as elapsed.

Hi Erik. Thanks for your response.

I was getting it from the tokenManager.get(“refreshToken”).

Is there an option to call the introspect endpoint using a method on either tokenManager or OktaAuth object?

What’s your use case that you are trying to get the refresh token’s expiration date? As long as you have autorenew enabled (which it is by default), the library will handle all the renewals for you and you don’t need to worry about the token expiration.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.