I’m having issues with refreshing tokens silently in my SPA with okta-auth-js.
First of all, I went through Okta’s options, and increase the lifetime of the different options to at least a day. (Access Token lifetime up to a day, Refresh Token permanent, session lifetime 7 days). Yet I am having feedback from users that they are disconnected at least 3-4 times a day. I don’t understand why that happens when the user should be good for at least a day when they log in with the given options.
Second, the autoRenew works, however it does a redirection to Okta and then back to our login page to finish the login process. This happens quickly and the user is redirected to the page they were when the renew started, however they will also lose their unsaved progress as it went through a redirection. Is there a way to change the method used when renewing the token such that it does a background call instead of getting with the redirection ?
EDIT:
I have read some documentation where it says that it’s not possible to have token refresh when using the authorization code PKCE flow. Does that mean it’s not possible to have silent refresh on an SPA with this flow?
I also saw in the comments of this page Implement the OAuth 2.0 Authorization Code with PKCE Flow | Okta Developer that Okta doesn’t allow for refresh_token in authorization code with PKCE. It looks like the preferred way is to leverage the Okta session, however I think that means that it’s not possible to refresh without a redirect?
You have multiple options, but regarding refresh tokens use with auth code + pkce, it’s a newer feature as outlined here so some of the older information out there may be a bit outdated - Are you using any Okta front-end SDK or strictly okta-auth-js?
We actually recently added support for SPAs to be able to receive and use refresh tokens on the front-end via CORS requests, though the silent refresh that occurs without refresh tokens available would only fail if the user’s session with Okta had expired (which may be the case here) or is was not found in the browser (which is usually caused by 3rd party cookies being blocked). If so, using refresh tokens would divorce the Okta session lifetime from your ability to renew tokens for the user and should help keep your users logged in without needing to re-authenticate!
To use refresh token for a SPA, you will need to go to Admin → Settings → Features and enable “Refresh token rotation,” and then update your SPA to have “Refresh token” as an Allowed grant type.
More details about refresh token rotation can be found here.
I am using both the React package and okta-auth-js. Does using the “Refresh token rotation” feature require any modification to the frontend or is it handled by the packages already?