-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token renewal fails silently for some users, some of the time (3.0.4/3.0.8, third-party cookies allowed) #15
Comments
Upgraded to 3.0.8 a few days ago, the issue persists. Could it be related to @okta/okta-signin-widget starting the renewal process at the same time? |
I am also seeing this issue, we have set our okta access_token expiration to 5 minutes and it is very apparent that it doesn't always make a call to |
@patkovskyi I do not think it is related to the signin-widget for 2 reasons:
In your issue you mentioned Google Chrome. Does this issue only occur on chrome, or do you see it in other browsers? If it is only in chrome the hunch about multiple requests may be the culprit (to my knowledge only chrome will cancel requests), this would indicate a potential concurrency issue. Do you have multiple instances of auth-js or okta-react on the page? |
@Dewar0019 The current version of |
@aarongranick-okta I'm a bit confused, in the okta/okta-oidc-js#744 (comment) you've mentioned that the auto-renew mechanism is "active" since 3.0.3 version, no? Anyway, I tried both approaches:
and neither worked reliably. The first approach leads to some users eventually sending expired JWT tokens to the backend, the second approach causes some calls to |
We are also facing this issue and it is maddening. It only happens intermittently, but when it does the user is in a weird state and all network requests fail because their token is indeed invalid BUT the Okta SDK does not auto renew their token nor does it redirect users to login again. Sometimes having the user logout manually fixes the issue. Sometimes we have to have the user clear local storage and cookies in order for them to be able to use our application again. This has been happening for a while by the way as okta/okta-oidc-js#744 indicates. It would be nice if we could get an update from somebody from the Okta team on this issue as I do see there is an internal refs number listed in the issue I linked. We are using |
@nryoung - do you have any information on what triggers this condition? |
@swiftone Sure, it actually just happened to me again, so here is what I am seeing: In our dev environment we have the token timeout set to 5 mins to help diagnose this issue. Well, I see that Okta attempted to
However, it returned a I am now in an invalid state now. So, any requests I make to our backend fail with a The only solution for me now is to attempt to logout, which sometimes fails because of this issue: okta/okta-oidc-js#861 so if that fails then I have to manually clear my local storage. I should be clear, the above error response we get back is not the only error we get back from Okta that causes this state. Below you can see other error messages that cause us to get in to this state as well:
For whatever reason the Okta SDK has an invalid token at this point and redirects to the root |
@nryoung Do you have multiple Okta apps running on the same domain? Is it possible other apps are reading/writing to the same token storage? Also are you using the |
We do not, only one application per domain.
It's not we only have one React app running per domain.
We are not. |
I'm also having this issue, I moved from |
For those of you facing this issue we have implemented a workaround that seems to be working until this is fixed internally within the okta sdk: const checkExistenceOfOktaAccessToken = () => {
try {
JSON.parse(localStorage.getItem('okta-token-storage')).accessToken;
} catch (error) {
window.location.reload();
}
}; We manually check for the existence of the okta token on every render. When find that it no longer exists, we force the whole app to reload as it should exist at this point in the application no matter what. It's not the greatest workaround but until we can can actually rely on the |
A very helpful Okta support engineer responded to an inquiry about this and suggested what has turned out to be a very effective work-around. See import { Switch, Route, Redirect } from "react-router-dom";
import config from "./api/config";
import NotFoundPage from "./components/NotFoundPage";
import routes from "./routes";
import React from "react";
import { OurRestProviderProvider } from "./rest";
import { LoginCallback, SecureRoute, Security, useOktaAuth } from "@okta/okta-react";
function OurSecureRoute(props: any) {
const { authService } = useOktaAuth();
const safelyGetToken = async () => {
const token = await authService.getAccessToken();
if (token) return token;
// For some reason, access token in local storage is undefined.
// May happen if no network connectivity at the time the token would be renewed.
// Solution: refetch token from source and update token manager
const response = await authService._oktaAuth?.token?.getWithoutPrompt();
const accessToken = response?.tokens?.accessToken;
if (accessToken) {
authService._oktaAuth?.tokenManager?.add("accessToken", accessToken);
return accessToken.accessToken;
}
};
return (
<OurRestProvider
base={config.SERVICE_API_URL}
requestOptions={async () => ({ headers: { Authorization: `Bearer ${await safelyGetToken()}` } })}
>
<SecureRoute {...props} />
</RestfulProvider>
);
}
function AppWithSecurity() {
return (
<Switch>
<Route path="/implicit/callback" component={LoginCallback} />
<Redirect exact from="/" to={routes.DASHBOARD} />
<OurSecureRoute path="*" component={NotFoundPage} />
</Switch>
);
} |
@amacleay-cohere - is this change still relevant? |
Thanks for the reminder! We've had this workaround in place but it hasn't been triggered since we updated to v4, so we can remove it now. Thanks @amcdnl ! |
Hmmm - I've been having similar issues - I'm on v4 - I applied this tweak today - will let everyone know if it solves me problem. |
@amcdnl has applying the tweak solved your problem? |
@amcdnl @EricHedden With current version of |
@aarongranick-okta still seeing this exact same issue as described by @patkovskyi :
We are using Looking though the code, I do see that calls to okta/okta-auth-js documentation says this is the default option.
In any case, |
@theseyi As Aaron mentioned above, no workaround is still needed with the latest version. Can you try the react sample to see if you still see the issue? The default config enables token auto renew, you can also set expireEarlySeconds to make the renew easier to observe. If you still see issue with the sample app, please create a new one to track, the current thread is targeting to a retired version (3.x), the renew strategy has been changed in the latest version. |
@shuowu Thanks for taking a look, I will set up the react sample. However, part of the problem is that it is intermittent as @nryoung mentioned. However, a few quick questions on your response:
(1)
This is the code I'm referring to which is at current HEAD on the mainline branch master. const { autoRenew, autoRemove } = this.options.tokenManager || {};
if (accessToken && this.tokenManager.hasExpired(accessToken)) {
accessToken = null;
if (autoRenew) { (2)
This is just at development time right? since:
|
created related issue here @shuowu okta/okta-auth-js#924 |
Our setup:
Token ... renewed
logs from them).isAuthenticated
as recommended:idToken
andaccessToken
expiration time is set to 60 minutes in Okta.authService.getIdToken()
before each request to our backend (we then sendidToken
to the backend). This does not seem to help.expired
,renewed
, anderror
events. Here's a sequence of logs I'm seeing in one of the recent cases:Token with key accessToken has expired
Token with key idToken has expired
...
There's no
error
event orrenewed
event around. Note that "going to make a backend request" is logged before we callauthService.getIdToken
, so the most likely explanation for why it does not reach our backend is thatauthService.getIdToken
just hangs. Could it be related to the fact that Google Chrome does not start a new request if an identical request is already running? Is there some timeout for the token renewal request?The text was updated successfully, but these errors were encountered: