Continuing the discussion from Refresh access token with a refresh token acquired through PKCE flow:
Solution (renewTokens
, when using showSignInAndRedirect
, and Application Level MFA)
After a bit of confusion with our Org and how Okta handles the signin workflow with the classic engine
spa
and okta-auth-js
we were able to implement a solution for getting users signed in with Application Level MFA. However after a week or so, we noticed users were not refreshing their session through our custom (stay signed in logic). Come to find out, when using application level mfa and showSignInAndRedirect
you have to do a few things for Okta to not prompt the user for MFA.
The solution linked above Refresh access token with a refresh token acquired through PKCE flow got me started, however there were a few things different for my solution.
Steps I followed:
- Navigate to Okta Console and Find your
spa
application.Applications
>Applications
- Under the
Application settings
ensure to enableRefresh Token
- Next let’s make sure you’ve got
offline_access
as a scope within your API- Navigate
Security
>API
- Select your API in use, and ensure
offline_access
is a scope under thescopes
tab. - If it’s not there add it.
- Navigate
- In your application code, where you define your
OktaAuth
config make sure to addoffline_access
to yourscopes
array-
Note: I’m not sure if it’s necessary, but I added the scopes to the
Okta Auth
config as well as my signin widget config
-
Lastly, start up your app, and ensure you have a refresh_token
in your specified storage manager.
Once verified that your refresh_token
is available. You can then request new tokens without prompting the user.
const renewToken = await oktaAuth.token.renewTokens();
await oktaAuth.tokenManager.setTokens(renewToken);
And if you’re subscribed to any authState
changes, you can verify whatever changed in the tokens.
Hope this helps~