Utilising refresh tokens with the javascript sdk

Hey all. It’s the first time I am working with both okta & refresh tokens. At the moment I am trying to implement a solution using refresh token for a client side application and I am using the okta javascript sdk. I found that the token.renewTokens seems to do what I need (makes a post call to the /token endpoint and provides me with a new set of tokens, id_token, access_token and refresh_token in my case). My problem comes when I am trying to test some corner cases, more specifically the following:

While I am authenticated with okta I then decide to terminate my session on the sso_server. The I proceed to perform the POST request to /token via the token.renewTokens method. My expectation would be that this should result into an error but actually the call is successfull and I receive a new set of tokens. I am sure my session is terminated as calling oktaAuth.session.exists() return false in after I have terminated my session (but always returns true while my session is active).

Hope someone here can help me.


refresh_token validity is independent of your Okta session. You can have a short lived Okta session and a long lived refresh_token.

If you want to make sure a user fully logs out (both your application and Okta) you should,

  • revoke the tokens
  • remove the tokens
  • sign out of the Okta session

The SDK allows all these options, GitHub - okta/okta-auth-js: The official js wrapper around Okta's auth API

Thank You,

1 Like