I am using @okta/okta-auth-js and the token renewal sometimes fails in a PWA running on an iPad, even though refresh tokens are configured with the offline_access scope. When this happens, the refresh token is deleted, leaving users either disconnected or unknowingly stuck in an unauthenticated state.
Steps to reproduce ?
- Initial Setup
• Configure refresh tokens with the offline_access scope enabled.
• Initially, set autoRenew to true. When the token expires offline, users get disconnected upon reconnecting. - Switch to Manual Renewal
• Set autoRenew to false and listen for token expiration events.
• Call renewTokens() when the event oktaAuth.tokenManager.on(“expired”) fires and navigator.onLine is true.
• Some users experience token renewal failure with this error, possibly due to network issues.
{ "name": "AuthApiError", "errorSummary": "Load failed" }
• Some affected users are in areas with very poor network connections. - Critical Issue: Refresh Token Deletion
• When renewTokens() fails, the refresh token is deleted, despite its 90-day lifetime and daily reissuance, this results in two cases:
- With third-party cookies blocked: /authorize request fails with the error :
{ "resp": null, "name": "OAuthError", "errorCode": "login_required", "errorSummary": "The client specified not to prompt, but the user is not logged in.", "error": "login_required", "error_description": "The client specified not to prompt, but the user is not logged in." }
- With third-party cookies enabled: The renewal sometimes works sometimes not.
• If a user closes the app indefinitely and later reopens it, failing to fetch encryption key data with a 401 error prevents the app from
@okta/okta-auth-js version : 7.10.1
Any insights or guidance on how to improve the token renewal process would be greatly appreciated. Thank you !