JwtReadError (401 Status) when attempting to OAuth Authentication Flow a second time

Question

I am in the process of building a plugin for Banno Mobile & Online. While following the documentation provided by the Jack Henry Digital Toolkit for authentication using the OAuth architecture, I was able to successfully complete the authentication flow and receive an access token and user profile information.

After some period of time has elapsed (in my testing, it appeared to be around 10 minutes), if I attempt to initiate the OAuth flow again, I receive an HTTP status code 401 response from the initial redirect to the /a/consumer/api/v0/oidc URL. I will continue to get the 401 response using the OAuth flow until I manually navigate to the Banno Online site and login manually.

For my purpose, the use case would be a user that goes idle while in the full screen view of the plugin. I would like to re-authenticate the user, but attempting to do so by initiating the OAuth flow causes the above failure if a certain amount of time has elapsed. If I attempt to initiate the OAuth flow inside of 10 minutes from the initial authentication, it works as expected.

Answer 1

An Access Token currently has a lifetime of 10 minutes from when that specific token was issued, which sounds like what you're seeing. See Access Tokens for reference.

One way of handling the expiration of an Access Token is to request a Refresh Token during the initial authentication flow. A Refresh Token can be exchanged for a new Access Token. See Refresh Tokens and OpenID Connect and OAuth 2.0 for reference.

In this case, you can request a Refresh Token during the initial authentication flow by including the OAuth scope https://api.banno.com/consumer/auth/offline_access in the authentication request.

The Refresh Token can be exchanged for a new Access Token using the POST ​/oidc​/token endpoint. See the API Reference for details.