Skip to content

Fix: Okta Java SDK: Intermittent "Invalid session" (E0000005) errors - Adding updated refresh logic for token#1660

Merged
prachi-okta merged 1 commit intomasterfrom
OKTA-1059235-token-refresh-fix
Dec 18, 2025
Merged

Fix: Okta Java SDK: Intermittent "Invalid session" (E0000005) errors - Adding updated refresh logic for token#1660
prachi-okta merged 1 commit intomasterfrom
OKTA-1059235-token-refresh-fix

Conversation

@prachi-okta
Copy link
Copy Markdown
Contributor

@prachi-okta prachi-okta commented Dec 16, 2025
edited
Loading

Summary

Fixes an issue where the OAuth2 SDK client gets stuck in an invalid state after a failed token refresh attempt, causing persistent E0000005 "Invalid session" errors.

Problem

When an OAuth2 access token expires and the refresh attempt fails (due to network issues, temporary server errors, etc.), the SDK enters a stuck state where:

  1. oAuth2AccessToken is set to null before the refresh attempt
  2. If refresh fails, oAuth2AccessToken remains null
  3. The original condition if (oAuth2AccessToken != null && ...) never triggers a retry because oAuth2AccessToken is null
  4. All subsequent API calls fail with authentication errors

This affects customers using OAuth2 client credentials authentication in environments with occasional network instability.

Solution

OAuth2ClientCredentials.java

  1. Added recovery logic for stuck state: The token refresh now triggers when:

    • Token exists but is about to expire (within 5 minutes) - original behavior
    • Token is null AND getAccessToken() is also null (stuck state) - new recovery path

  2. Added isRefreshing flag: Prevents recursive refresh attempts that could cause StackOverflowError when AccessTokenRetrieverServiceImpl calls back into OAuth2 methods during token retrieval.

  3. Graceful error handling: Failed refresh attempts are logged but don't throw exceptions, allowing retry on the next API call instead of permanently failing.

UrlResourceTest.groovy

Made the network-dependent test more resilient by catching SSL/network exceptions and skipping the test instead of failing the build in restricted network environments.

Changes

  • impl/src/main/java/com/okta/sdk/impl/oauth2/OAuth2ClientCredentials.java

    • Added isRefreshing volatile flag to prevent recursive refresh
    • Updated applyToParams() to handle stuck state recovery
    • Added try-catch for graceful error handling during refresh
    • Moved null check inside try block in refreshOAuth2AccessToken()

  • impl/src/test/groovy/com/okta/sdk/impl/io/UrlResourceTest.groovy

    • Added network error handling to skip test on SSL/connectivity issues

Testing

  • All existing unit tests pass (111 tests)
  • OAuth2 token refresh test validates both normal expiration and recovery scenarios
  • Integration tests verified separately

Related Issues

@prachi-okta prachi-okta merged commit 3bcac3c into master Dec 18, 2025
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BinoyOza-okta BinoyOza-okta BinoyOza-okta approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@prachi-okta @BinoyOza-okta