Refresh token using okta-auth-js and React (Solution)

Continuing the discussion from Refresh access token with a refresh token acquired through PKCE flow:

Solution (renewTokens, when using showSignInAndRedirect, and Application Level MFA)

After a bit of confusion with our Org and how Okta handles the signin workflow with the classic engine spa and okta-auth-js we were able to implement a solution for getting users signed in with Application Level MFA. However after a week or so, we noticed users were not refreshing their session through our custom (stay signed in logic). Come to find out, when using application level mfa and showSignInAndRedirect you have to do a few things for Okta to not prompt the user for MFA.

The solution linked above Refresh access token with a refresh token acquired through PKCE flow got me started, however there were a few things different for my solution.

Steps I followed:

  1. Navigate to Okta Console and Find your spa application. Applications > Applications
  2. Under the Application settings ensure to enable Refresh Token
  3. Next let’s make sure you’ve got offline_access as a scope within your API
    • Navigate Security > API
    • Select your API in use, and ensure offline_access is a scope under the scopes tab.
    • If it’s not there add it.
  4. In your application code, where you define your OktaAuth config make sure to add offline_access to your scopes array
    • Note: I’m not sure if it’s necessary, but I added the scopes to the Okta Auth config as well as my signin widget config

Lastly, start up your app, and ensure you have a refresh_token in your specified storage manager.

Once verified that your refresh_token is available. You can then request new tokens without prompting the user.

const renewToken = await oktaAuth.token.renewTokens();
await oktaAuth.tokenManager.setTokens(renewToken);

And if you’re subscribed to any authState changes, you can verify whatever changed in the tokens.

Hope this helps~


Hi, confirming yes, Step 4 is necessary i.e. offline_access must be added to your Okta Sign in Widget Config Options. Thanks for sharing your solution!

1 Like