Silent refresh token for multiple subdomain under same domain

Here’s a weird scenario that happens in my case.

Let’s say there are 2 accounts: xyz.domain.com and abc.domain.com. There are 2 different email IDs associated with these accounts say a@email.com and b@email.com respectively.

If I login to both these accounts using the respective email IDs in same browser but different tabs, a refresh token request seems to behave vague. So what really happens is, if xyz.domain.com was logged in first and followed by abc.domain.com. There is a silent refresh token fetch mechanism in the code that uses the tokenManager.renew('accessToken') every 45 minutes. At the 45th minute of refresh token fetch for xyz.domain.com, okta returns the accessToken values of abc.domain.com and b@email.com. Because of this, the react SPA app receives a 401 from the API which then redirects to the login screen.

In the okta-js documentation, it is mentioned to use a different storageKey for same app and I’ve also made sure this storageKey is unique per domain. Yet the renewal of accessToken seems to be different.

What am I doing wrong or is there a config that needs to be done?

PS: we use the same clientId and configs which is same for both subdomains.

When you do this flow, where you log users into the same browser but in different tabs, do you see a ‘sid’ session cookie getting set for them at the Okta domain? The silent token refresh from our SDKs is reliant on the ‘sid’ in order to request new tokens for the user, so whichever user has a ‘sid’ set in the browser is the one who will be granted the refreshed tokens.

You may want to look into “Refresh token rotation,” which is a Self-Service EA feature that you can enable in your own Org (can be found in the Admin console under Settings -> Features). This will allow you to get and use refresh tokens in your SPA application. Note that our SDKs are actively being updated to use these refresh tokens and handle rotation. More information can be found in our Refresh token rotation guide