Continuing the discussion from Refresh access token with a refresh token acquired through PKCE flow:
Solution (renewTokens, when using showSignInAndRedirect, and Application Level MFA)
After a bit of confusion with our Org and how Okta handles the signin workflow with the classic engine spa and okta-auth-js we were able to implement a solution for getting users signed in with Application Level MFA. However after a week or so, we noticed users were not refreshing their session through our custom (stay signed in logic). Come to find out, when using application level mfa and showSignInAndRedirect you have to do a few things for Okta to not prompt the user for MFA.
The solution linked above Refresh access token with a refresh token acquired through PKCE flow got me started, however there were a few things different for my solution.
Steps I followed:
- Navigate to Okta Console and Find your
spaapplication.Applications>Applications - Under the
Application settingsensure to enableRefresh Token - Next let’s make sure you’ve got
offline_accessas a scope within your API- Navigate
Security>API - Select your API in use, and ensure
offline_accessis a scope under thescopestab. - If it’s not there add it.
- Navigate
- In your application code, where you define your
OktaAuthconfig make sure to addoffline_accessto yourscopesarray-
Note: I’m not sure if it’s necessary, but I added the scopes to the
Okta Authconfig as well as my signin widget config
-
Lastly, start up your app, and ensure you have a refresh_token in your specified storage manager.
Once verified that your refresh_token is available. You can then request new tokens without prompting the user.
const renewToken = await oktaAuth.token.renewTokens();
await oktaAuth.tokenManager.setTokens(renewToken);
And if you’re subscribed to any authState changes, you can verify whatever changed in the tokens.
Hope this helps~