Service Provider Okta is not providing Access Token to SPA app

In one of our project, we have two Okta(one as IP and another as SP), one is for internal employees and another one for external employees. Both the Okta is configured as Org2Org app (SAML) communiction to access some applications in External employees Okta app.

Some of our internal employees also needs to access external Okta app. So we have registered the SPA app in external Okta app, but here for security purpose we have Access Token Timeout time of 15 mins (rotating the AT every 15 mins) and Session Timeout of 30 mins. But in Internal Employees Okta we have default Session timeout of 2 hours and AT of 1 hour. In both the cases Id Token timeout of 1 hour as we can’t change.

So here what happens is when the internal employees access the SPA application registerd in external Okta app from Internal employees Okta application dashboard (Org2Org Relay state). It works for 30 mins as session timeout is 30 mins only, during that time access token is retrieving successfully. But the problem starts after that only, when the user is idle for 30 mins and after if we retrieve the access token, Okta rightly says login_required code and goes to login page. But if the user clicks the SPA app in Okta application dashboard (since our internal application Okta have default session timeout of 2 hours), it retrieves the Id token since its in localstorage and not expired (1 hour) but during signout the Okta removes the access token from localstorage from the below code. So next time while clicking SPA app, getAsync looks for token availability in local storage or access token expiration. so we are not getting Access Token (code given below). SPA application login successfully, but not retriving the Access Token, we are not able to retrieve the data from resource server,

So What we can do here to retrieve AccessToken (we are using Okta default login page and react SPA using PKCE flow) Please suggest your solution for above scenarios…
One solution is to use authService.handleAuthentication() or authService.redirect() to retrieve both the tokens if Access token not available in localstorage, but it gives extra roundtrip to load.

TokenManager.js (renew) - (local storage access token removal)
if ( === ‘OAuthError’ || === ‘AuthSdkError’) {
remove(tokenMgmtRef, storage, key);
err.tokenKey = key;
err.accessToken = !!token.accessToken;
emitError(tokenMgmtRef, err);

Access token retrival method
function getAsync(sdk, tokenMgmtRef, storage, key) {
return new Promise(function(resolve) {
var token = get(storage, key);
if (!token || !hasExpired(tokenMgmtRef, token)) {
return resolve(token);
var tokenPromise = tokenMgmtRef.options.autoRenew
? renew(sdk, tokenMgmtRef, storage, key)
: remove(tokenMgmtRef, storage, key);
return resolve(tokenPromise);


Hope someone have come across this scenario, please suggest your solution as soon as possible.