Refresh token in implicit flow OIDC (SPA apps)


I’ve setup an SPA application in OKTA and that does not give the option to retrieve Refresh token.

Is it possible to retrieve a refresh token using SPA applications? What would be the best approach to avoid redirecting the user to login in OKTA when the token gets expired?


I think you are asking a similar question as:

Thanks @tom, so /authorize with prompt=none before the token expires and that would refresh the token?

Yes, it does a very quick redirect to Okta and the app gets a new (fresh) access token. prompt=none ensures the user doesn’t see any login UI.

@nate.barbettini Thanks!

1 Like

Hi @nate.barbettini. I am making a call to issuerEndpoint + ‘/v1/authorize?prompt=none’ including an existing access token in the authorization header. I am getting a CORS error even if I added my issuer and the domain where this SPA is running to trusted origins under Security > API. Any suggestions?

Thank you very much for help.

Did you find a solution to this @sart96?

Hi @sart96, @abvardy,

If you are still facing this issue, could you capture the network traces as a har file along with the error from console and email for further analysis ? Usually CORS error should not occur if the base url is added to the Trusted Origin (Security->API-> Trusted Origin) and CORS is enabled.

Hi @sart96, @abvardy

I am facing the same issue. Please help on this.

How to call & where to call & when to call ‘/v1/authorize?prompt=none

It depends if you are using refresh_token or not. If not, then you have to call /authorize while your Okta session is still active. If you use refresh_token call to /token any time refresh_token is still valid