SecureRoute accessible with expired token

I believe something changed within maybe okta-react in the past couple of months. We believe this is how it replicates. We are storing tokens in localStorage.
If a user closes their tab and session expires in the meantime, the okta token still exists in local storage.
If the user then tries to “deep link” to a SecureRoute, because the token exists, it lets them through. However any api calls to our internal API gateway we try to make fail because the token is expired. I thought SecureRoute would block them all together from getting to these routes and kick them back to the login page. onAuthRequired does work but seems to only work if the token has been completely removed from local storage.
Is there something extra we should be doing prior to letting a user through to a SecureRoute?

How are the tokens getting stored?

I assume they’re getting set in tokenManager which is set to use local storage. The tokenManager should be clearing out the tokens when they expire and/or requesting new tokens to replace them via autoRenew. Do you see any renewals occurring?

We use a lot of the defaults, so yes local storage:

Which version of the React SDK are you using? Do you see the same behavior if you test with our sample app?

we’re using
okta-react 6.1.0
okta-auth-js 5.5.0
okta-signin-widget 5.11.0

i’ll have to verify exact steps to replicate, but takes some time since i have to wait for the session to expire, but I believe its the following

  1. Establish a session
    2). Close the tab
    3). After expiration time, open new tab going to a deep link (secure route)
  • Verify the okta token still exists in local storage. Probably doesn’t get cleared out because the tab closed.

How long is allowed for autoRenew to even work though? I would assume at some point it would say this is too far expired and we won’t renew it. The tokens we’ve seen are around 30 minutes past expiration. And it’s using a token already in local storage when entering the app because its not being wiped out (ie. user just leaves the browser tab and doesn’t log out).

I did just notice this. Are we supposed to be doing this now? Or is this for only certain situations?
I did notice that tokens were renewing as they get close to the expiration time so that seems to be working in happy day scenarios

Are you using/storing refresh tokens (scopes requested contains offline_access)?

these are the scopes we provide: [‘openid’, ‘profile’, ‘email’, ‘offline_access’];

They haven’t changed in a couple years.

And thanks for the replies! So far this has been helpful!

It sounds like autoRenew is enabled (enabled by default), the tokens are getting refreshed via the granted refresh token, which will happen when the tokens expire.

If you remove offline_access from your list of scopes and try this out again (let the access/id tokens expire, let the Okta session expire), do you still see the same behavior?