search

okta / okta-auth-js

The official js wrapper around Okta's auth API
Other
449 stars 262 forks source link

Okta returning expired token from issuer after some inactivity #1534

Open ashishbairwa opened 1 month ago

ashishbairwa commented 1 month ago

Describe the bug

Hi, team. I’m currently using okta auth release 5.11 in one of our app. For some reasons after some moment, when I call renew tokens I always get expired one. Attaching some screenshot to show current scopes in the project.

Here is some code snippet showing the usage: Initializing oktaAuth:

  const oktaAuth: OktaAuth = useMemo(
    () =>
      new OktaAuth({
        clientId,
        issuer,
        redirectUri,
        scopes: ['openid', 'profile', 'email', 'offline_access'],
        pkce: true,
        tokenManager: {
          autoRenew: true,
          autoRemove: true,
        },
      }),
    [clientId, issuer, redirectUri],
  );

  const securityContext: SecurityContext = {
    authState,
    authClient: {
      signInWithRedirect: (options?: SignInOptions): Promise<void> =>
        oktaAuth.signInWithRedirect(options),
      signOut: (): Promise<boolean> => {
        console.log('called signout');
        return oktaAuth.signOut();
      },
      isAuthenticated: () => {
        console.log('called isAuthenticated');
        return oktaAuth.isAuthenticated();
      },
      getAccessToken: () => {
        console.log('called getAccessToken');
        console.log({
          accessToken: authState?.accessToken?.accessToken,
          oneLevelUp: authState?.accessToken,
        });
        return authState?.accessToken?.accessToken;
      },
      renewTokens: (): Promise<Tokens> => {
        console.log('called renewTokens');
        return oktaAuth.token.renewTokens();
      },
      setTokens: (token: Tokens) => {
        console.log('called setTokens');
        oktaAuth.tokenManager.setTokens(token);
      },
    },
    capabilities: capabilitiesContext,
  };

Config options:

  const options = {
    oktaConfig: {
      clientId: process.env.OKTA_CLIENT_ID || '',
      issuer: process.env.OKTA_ISSUER || '',
      redirectUri: `${window.location.origin}/okta/callback`,
      restoreOriginalUri,
    },
    capabilitiesConfig: {
      enabled: false,
    },
  };

We are using setTokens and renewTokens in some SSE event and that too when the connection fails, after some moment I get a token which has expiresAt and currentTime to only having a difference of 1 second. Am I missing something in renewTokens?

Few observations that I noted while monitoring my app:

  1. After sometime when the SSE connection error happens, our app emits one Okta error: The client specified not to prompt, but the user is not logged in.
  2. There is another type of issue which comes with SSE connection error and that too very sporadically. Error: Okta error: OAuth flow timed out

image

Reproduction Steps?

Behaviour similar to https://github.com/okta/okta-auth-js/issues/1445#issuecomment-2293899628

SDK Versions

System: OS: macOS 14.5 CPU: (10) arm64 Apple M2 Pro Memory: 60.28 MB / 16.00 GB Shell: 5.9 - /bin/zsh Binaries: Node: 18.4.0 - ~/.nvm/versions/node/v18.4.0/bin/node npm: 8.12.1 - ~/.nvm/versions/node/v18.4.0/bin/npm Browsers: Brave Browser: 127.1.68.141 Chrome: 128.0.6613.85 Safari: 17.5 npmPackages: @okta/okta-auth-js: 5.11.0 => 5.11.0 @okta/okta-react: 6.4.3 => 6.4.3

Additional Information?

No response

jaredperreault-okta commented 1 month ago

@ashishbairwa I see you're using offline_access. I just want to confirm you're using refresh tokens. When refreshing a token do you see network calls to /authorize or /token?

I'd suggestion you try upgrading to the latest version. 5.X has been retired

ashishbairwa commented 1 month ago

@jaredperreault-okta yes, I can see the call successfully happening to /token. I bumped up the version to stable 7.1.1 but still seeing the issue happening.