Okta returning expired token from issuer after some inactivity

[ashishbairwa]

Describe the bug

Hi, team. I’m currently using okta auth release 5.11 in one of our app. For some reasons after some moment, when I call renew tokens I always get expired one. Attaching some screenshot to show current scopes in the project.

Here is some code snippet showing the usage:
Initializing oktaAuth:

  const oktaAuth: OktaAuth = useMemo(
    () =>
      new OktaAuth({
        clientId,
        issuer,
        redirectUri,
        scopes: ['openid', 'profile', 'email', 'offline_access'],
        pkce: true,
        tokenManager: {
          autoRenew: true,
          autoRemove: true,
        },
      }),
    [clientId, issuer, redirectUri],
  );

  const securityContext: SecurityContext = {
    authState,
    authClient: {
      signInWithRedirect: (options?: SignInOptions): Promise<void> =>
        oktaAuth.signInWithRedirect(options),
      signOut: (): Promise<boolean> => {
        console.log('called signout');
        return oktaAuth.signOut();
      },
      isAuthenticated: () => {
        console.log('called isAuthenticated');
        return oktaAuth.isAuthenticated();
      },
      getAccessToken: () => {
        console.log('called getAccessToken');
        console.log({
          accessToken: authState?.accessToken?.accessToken,
          oneLevelUp: authState?.accessToken,
        });
        return authState?.accessToken?.accessToken;
      },
      renewTokens: (): Promise<Tokens> => {
        console.log('called renewTokens');
        return oktaAuth.token.renewTokens();
      },
      setTokens: (token: Tokens) => {
        console.log('called setTokens');
        oktaAuth.tokenManager.setTokens(token);
      },
    },
    capabilities: capabilitiesContext,
  };

Config options:

  const options = {
    oktaConfig: {
      clientId: process.env.OKTA_CLIENT_ID || '',
      issuer: process.env.OKTA_ISSUER || '',
      redirectUri: `${window.location.origin}/okta/callback`,
      restoreOriginalUri,
    },
    capabilitiesConfig: {
      enabled: false,
    },
  };

We are using setTokens and renewTokens in some SSE event and that too when the connection fails, after some moment I get a token which has expiresAt and currentTime to only having a difference of 1 second. Am I missing something in renewTokens?

Few observations that I noted while monitoring my app:

1. After sometime when the SSE connection error happens, our app emits one Okta error: The client specified not to prompt, but the user is not logged in.
2. There is another type of issue which comes with SSE connection error and that too very sporadically. Error: Okta error: OAuth flow timed out

Reproduction Steps?

Behaviour similar to #1445 (comment)

• Leaving the app inactive in a tab for some time (time duration is usually greater than 15-30 mins)
• After some time we receive expired token with expiresAt having a difference of 1 with currentTime in mins

SDK Versions

System:
OS: macOS 14.5
CPU: (10) arm64 Apple M2 Pro
Memory: 60.28 MB / 16.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.4.0 - ~/.nvm/versions/node/v18.4.0/bin/node
npm: 8.12.1 - ~/.nvm/versions/node/v18.4.0/bin/npm
Browsers:
Brave Browser: 127.1.68.141
Chrome: 128.0.6613.85
Safari: 17.5
npmPackages:
@okta/okta-auth-js: 5.11.0 => 5.11.0
@okta/okta-react: 6.4.3 => 6.4.3

Additional Information?

No response

[jaredperreault-okta]

@ashishbairwa I see you're using offline_access. I just want to confirm you're using refresh tokens. When refreshing a token do you see network calls to /authorize or /token?

I'd suggestion you try upgrading to the latest version. 5.X has been retired

[ashishbairwa]

@jaredperreault-okta yes, I can see the call successfully happening to /token. I bumped up the version to stable 7.1.1 but still seeing the issue happening.