We are using refresh tokens for our user accounts in out OKTA tenant constantly to get access tokens and configure our refresh tokens expirations to be 90 days. My question is: is it possible that my refresh token could be revoked by OKTA (by some reason) before the expiration that I configured?
Yes, administrators can revoke your refresh token if required
Hi Philipp and thank you for reply. Let me clarify please, your answer means that OKTA administrators could revoke my refresh tokens by their own (OKTA) decision, or by my request?
Hi Denis, your administrators can remove your token by their decision in case of any security related incident, or when your user is offboarded from the tenant.
Hi, I know that, but my question was about OKTA administrators. Is it possible that my tokens will be revoked by OKTA not by request from me or my company administrators? For example in case when some security issue discovered by OKTA that needs to revoke lets say all customers refresh tokens.
Do you mean, Okta Support Team? I doubt that they would do that, or if they have this ability.
But if you need an official answer it’s better to raise a ticket with Okta Support or ask your Okta CSM.