okta-auth-js icon indicating copy to clipboard operation
okta-auth-js copied to clipboard

Published 20 hours ago verified publisher icon okta

Okta returning expired token from issuer after some inactivity

Open ashishbairwa opened this issue 6 months ago • 2 comments

Describe the bug

Hi, team. I’m currently using okta auth release 5.11 in one of our app. For some reasons after some moment, when I call renew tokens I always get expired one. Attaching some screenshot to show current scopes in the project.

Here is some code snippet showing the usage: Initializing oktaAuth:

  const oktaAuth: OktaAuth = useMemo(
    () =>
      new OktaAuth({
        clientId,
        issuer,
        redirectUri,
        scopes: ['openid', 'profile', 'email', 'offline_access'],
        pkce: true,
        tokenManager: {
          autoRenew: true,
          autoRemove: true,
        },
      }),
    [clientId, issuer, redirectUri],
  );

  const securityContext: SecurityContext = {
    authState,
    authClient: {
      signInWithRedirect: (options?: SignInOptions): Promise<void> =>
        oktaAuth.signInWithRedirect(options),
      signOut: (): Promise<boolean> => {
        console.log('called signout');
        return oktaAuth.signOut();
      },
      isAuthenticated: () => {
        console.log('called isAuthenticated');
        return oktaAuth.isAuthenticated();
      },
      getAccessToken: () => {
        console.log('called getAccessToken');
        console.log({
          accessToken: authState?.accessToken?.accessToken,
          oneLevelUp: authState?.accessToken,
        });
        return authState?.accessToken?.accessToken;
      },
      renewTokens: (): Promise<Tokens> => {
        console.log('called renewTokens');
        return oktaAuth.token.renewTokens();
      },
      setTokens: (token: Tokens) => {
        console.log('called setTokens');
        oktaAuth.tokenManager.setTokens(token);
      },
    },
    capabilities: capabilitiesContext,
  };

Config options:

  const options = {
    oktaConfig: {
      clientId: process.env.OKTA_CLIENT_ID || '',
      issuer: process.env.OKTA_ISSUER || '',
      redirectUri: `${window.location.origin}/okta/callback`,
      restoreOriginalUri,
    },
    capabilitiesConfig: {
      enabled: false,
    },
  };

We are using setTokens and renewTokens in some SSE event and that too when the connection fails, after some moment I get a token which has expiresAt and currentTime to only having a difference of 1 second. Am I missing something in renewTokens?

Few observations that I noted while monitoring my app:

  1. After sometime when the SSE connection error happens, our app emits one Okta error: The client specified not to prompt, but the user is not logged in.
  2. There is another type of issue which comes with SSE connection error and that too very sporadically. Error: Okta error: OAuth flow timed out

image

Reproduction Steps?

Behaviour similar to https://github.com/okta/okta-auth-js/issues/1445#issuecomment-2293899628

  • Leaving the app inactive in a tab for some time (time duration is usually greater than 15-30 mins)
  • After some time we receive expired token with expiresAt having a difference of 1 with currentTime in mins

SDK Versions

System: OS: macOS 14.5 CPU: (10) arm64 Apple M2 Pro Memory: 60.28 MB / 16.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 18.4.0 - ~/.nvm/versions/node/v18.4.0/bin/node npm: 8.12.1 - ~/.nvm/versions/node/v18.4.0/bin/npm Browsers: Brave Browser: 127.1.68.141 Chrome: 128.0.6613.85 Safari: 17.5 npmPackages: @okta/okta-auth-js: 5.11.0 => 5.11.0 @okta/okta-react: 6.4.3 => 6.4.3

Additional Information?

No response

ashishbairwa avatar Aug 23 '24 08:08 ashishbairwa