Hey, everybody!
My access tokens are not re-fetched. Here’ s the setup and steps to reproduce:
I want to setup SPA with access tokens exchange mechanism based on rotating refresh tokens. My goal is to have access tokens exchange each 10 minutes. Each 12 hours I want to logout of the app. For that purpose I have set the refresh token to expire in 12 hours in order to stop renewing access tokens…
I have set everything up in OKTA’s admin panel:
- refresh token rotation after every use
- include refresh token in the grant type section
- set up expiration time for access token and refresh token as well
- add logout/login redirect URIs
I have also set things up on the client side (SPA okta-auth-js)
autoRenew: trueby default- include
offline_accessin scopes - add
tokenManager.on('error', ...)handler to catch when token is no longer renewed due to stalling of the refresh token and callsignOut() - add handlers in my http client interceptors to catch 401s and do
signOut()
Here’s what I’m seeing and this is stable reproducible (for the test purpose I changed the lifetime of an access token to be 5 minutes and refresh token to be 7 minutes):
- On Sign In OKTA view, logging in for the first time - /token endpoint is hit with
grant_type: authorization_code, retrieved access token and refresh token. - In ~5 minutes a request to /token is made with
grant_type: refresh_tokenand previous refresh token itself; retrieved access token and new refresh token - In ~5 minutes a request to /token is made with
grant_type: refresh_tokenand previous refresh token itself; get 400 errorinvalid_grant(is it a correct error? ) presumably because refresh token had expired ~3 minutes ago already tokenManager.on('error', ...)catches that 400 and does thesignOut(), getting me to sign in OKTA view
So far everything goes as I would expect.
- Click sign in again and log back in. /token endpoint is hit with
grant_type: authorization_code, retrieved access token and refresh token - In ~5 minutes NO REQUEST to /token IS MADE. Access token is not refetched and when it completely expires any request from the client side results in 401 error.
- Http client interceptor catches 401 and does the exact same
signOut()as on the step 3) getting me to sign in OKTA view - Repeat from the step 0)
I would expect to have one more access token retrieval request in exchange for refresh token, the same that was made on the step 1).
By the way, for what it’s worth, the second time signOut is invoked after 401 handling (step 6) there are two revoke requests in network always seen. One to revoke access token and another to retrieve refresh token. There are none when signOut() happens from the error callback (step 3)
What am I missing? I thought I can achieve force logout the app in 12 hours, by simply making refresh token life time equal to 12 hours and thus get an error on the next renewal and do the sign out. Is there a well defined way to do what I intended? Please, any help is appreciated, thanks!