Token Renewal Fails in PWA (React) on iPad, Leading to User Disconnection or Stuck Unauthenticated State

I am using @okta/okta-auth-js and the token renewal sometimes fails in a PWA running on an iPad, even though refresh tokens are configured with the offline_access scope. When this happens, the refresh token is deleted, leaving users either disconnected or unknowingly stuck in an unauthenticated state.

Steps to reproduce ?

  1. Initial Setup
    • Configure refresh tokens with the offline_access scope enabled.
    • Initially, set autoRenew to true. When the token expires offline, users get disconnected upon reconnecting.
  2. Switch to Manual Renewal
    • Set autoRenew to false and listen for token expiration events.
    • Call renewTokens() when the event oktaAuth.tokenManager.on(“expired”) fires and navigator.onLine is true.
    • Some users experience token renewal failure with this error, possibly due to network issues.
    { "name": "AuthApiError", "errorSummary": "Load failed" }
    • Some affected users are in areas with very poor network connections.
  3. Critical Issue: Refresh Token Deletion
    • When renewTokens() fails, the refresh token is deleted, despite its 90-day lifetime and daily reissuance, this results in two cases:
  • With third-party cookies blocked: /authorize request fails with the error :
    { "resp": null, "name": "OAuthError", "errorCode": "login_required", "errorSummary": "The client specified not to prompt, but the user is not logged in.", "error": "login_required", "error_description": "The client specified not to prompt, but the user is not logged in." }
  • With third-party cookies enabled: The renewal sometimes works sometimes not.
    • If a user closes the app indefinitely and later reopens it, failing to fetch encryption key data with a 401 error prevents the app from

@okta/okta-auth-js version : 7.10.1

Any insights or guidance on how to improve the token renewal process would be greatly appreciated. Thank you !