Intermittent Invalid Session Errors with Okta SDK (OAuth) in Spring Boot on AWS EBS

[cchaubey]

Describe the bug?

We are experiencing intermittent "invalid session" errors in our Spring Boot application running on AWS Elastic Beanstalk (EBS). This application utilizes the Okta SDK with an OAuth 2.0 configuration to authenticate calls to Okta APIs.
When the application is redeployed using an Okta API token configuration instead of OAuth 2.0, the issue does not occur.

Mar 7 11:02:55 ip-10-82-154-53 web[150640]: 2025-03-07T11:02:55.574Z TRACE 150640 --- [] [nio-8080-exec-9] o.s.web.method.HandlerMethod : Arguments: [ApiException{code=403, responseHeaders={Keep-Alive=[timeout=5, max=100], Transfer-Encoding=[chunked], Server=[nginx], Connection=[Keep-Alive], p3p=[CP="HONK"], Date=[Fri, 07 Mar 2025 11:02:55 GMT], set-cookie=[sid="";Version=1;Path=/;Max-Age=0, xids="";Version=1;Path=/;Max-Age=0, autolaunch_triggered=""; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/, activate_ca_modal_triggered=""; Expires=Thu, 01 Jan 1970 00:00:10 GMT; Path=/], Strict-Transport-Security=[max-age=315360000; includeSubDomains], x-xss-protection=[0], x-content-type-options=[nosniff], x-okta-request-id=[Z8rSXyeHyBYXMKc7TdLFkgAACc0], Vary=[Accept-Encoding], content-security-policy-report-only=[frame-ancestors 'self'; report-uri https://oktacsp.report-uri.com/r/t/csp/reportOnly; report-to csp], Content-Type=[application/json]}, responseBody='{"errorCode":"E0000005","errorSummary":"Invalid session","errorLink":"E0000005","errorId":"oaelZ1I-QI1RjKjJtRRkEvVrg","errorCauses":[]}'}]
Mar 7 11:02:55 ip-10-82-154-53 web[150640]: 2025-03-07T11:02:55.574Z ERROR 150640 --- [] [nio-8080-exec-9] c.w.i.u.config.GlobalExceptionHandler : {"errorCode":"E0000005","errorSummary":"Invalid session","errorLink":"E0000005","errorId":"oaelZ1I-QI1RjKjJtRRkEvVrg","errorCauses":[]} : {"errorCode":"E0000005","errorSummary":"Invalid session","errorLink":"E0000005","errorId":"oaelZ1I-QI1RjKjJtRRkEvVrg","errorCauses":[]}
Mar 7 11:02:55 ip-10-82-154-53 web[150640]: 2025-03-07T11:02:55.574Z DEBUG 150640 --- [] [nio-8080-exec-9] o.s.w.s.m.m.a.HttpEntityMethodProcessor : Using 'application/json', given [application/json, text/plain, /] and supported [application/json, application/*+json]

What is expected to happen?

We don't expect any Intermitted issue from SDK.

What is the actual behavior?

Getting Intermitted issue after 2 days of deployment.

Reproduction Steps?

Deploy springboot app in AWS EBS which uses okta-sdk-java , Oauth config to connect with okta server.

Additional Information?

No response

Java Version

<java.version>17</java.version>

SDK Version

20.0.1

OS version

No response

[prachi-okta]

Hi, thanks for reporting this! I will be taking a look at this.

[adenix]

We are also seeing this issue. Our servers launch and establish an initial session, operate for a couple of days, and then auto rotation seems to fail causing all future operations to fail until the servers are restarted.

We are using private key authorization mode.

My current cluster launched 2025-04-08 10:01:04 PDT. The problem looks to present in that cluster around 2025-04-11 14:00:00 PDT.

@Configuration
@EnableConfigurationProperties(WorkforceIdentityCloudProperties.class)
public class WorkforceIdentityCloudConfiguration {

    @Bean
    @ConditionalOnProperty(name = "okta.wic.enabled", matchIfMissing = true)
    public ApiClient backstageWicClient(WorkforceIdentityCloudProperties properties) {
        return Clients.builder()
                .setOrgUrl(String.format("https://%s", properties.domain()))
                .setAuthorizationMode(AuthorizationMode.PRIVATE_KEY)
                .setClientId(properties.clientId())
                .setKid(properties.kid())
                .setScopes(properties.scope())
                .setPrivateKey(properties.privateKey())
                .build();
    }
}

com.okta.sdk.resource.client.ApiException: {"errorCode":"E0000005","errorSummary":"Invalid session","errorLink":"E0000005","errorId":"oaeGtP03e1hRu2nQ1nrfSRa2A","errorCauses":[]}
  at com.okta.sdk.resource.client.ApiClient.processResponse(ApiClient.java:1068)
  at com.okta.sdk.resource.client.ApiClient.invokeAPI(ApiClient.java:1191)
  at com.okta.sdk.resource.api.GroupApi.getGroup(GroupApi.java:333)
  at com.okta.sdk.resource.api.GroupApi.getGroup(GroupApi.java:283)
  at com.netflix.backstage.provider.group.WorkforceIdentityCloudGroupProvider.getGroup(WorkforceIdentityCloudGroupProvider.java:50)
  at com.netflix.backstage.activity.impl.GroupProviderActivitiesImpl.getGroupByReference(GroupProviderActivitiesImpl.java:52)
  at jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
  at java.lang.reflect.Method.invoke(Method.java:580)
  at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:359)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:196)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
  at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
  at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
  at org.springframework.aop.framework.CglibAopProxy$DynamicAdvisedInterceptor.intercept(CglibAopProxy.java:727)
  at com.netflix.backstage.activity.impl.GroupProviderActivitiesImpl$$SpringCGLIB$$0.getGroupByReference(<generated>:-1)
  at jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
  at java.lang.reflect.Method.invoke(Method.java:580)
  at io.temporal.internal.activity.RootActivityInboundCallsInterceptor$POJOActivityInboundCallsInterceptor.executeActivity(RootActivityInboundCallsInterceptor.java:64)
  at io.temporal.internal.activity.RootActivityInboundCallsInterceptor.execute(RootActivityInboundCallsInterceptor.java:43)
  at io.temporal.internal.activity.ActivityTaskExecutors$BaseActivityTaskExecutor.execute(ActivityTaskExecutors.java:107)
  at io.temporal.internal.activity.ActivityTaskHandlerImpl.handle(ActivityTaskHandlerImpl.java:124)
  at io.temporal.internal.worker.ActivityWorker$TaskHandlerImpl.handleActivity(ActivityWorker.java:291)
  at io.temporal.internal.worker.ActivityWorker$TaskHandlerImpl.handle(ActivityWorker.java:255)
  at io.temporal.internal.worker.ActivityWorker$TaskHandlerImpl.handle(ActivityWorker.java:218)
  at io.temporal.internal.worker.PollTaskExecutor.lambda$process$1(PollTaskExecutor.java:106)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
  at java.lang.Thread.run(Thread.java:1583)

[adenix]

I'ved opened case 02398652 for this with support.

[adenix]

Here's an update from my support case: The issue, at least how I am experiencing it, is related to the DPoP requirement. The SDK gets a valid DPoP token on initial bootstrap but doesn't rotate the token when it expires. This leads to all requests failing until the service is bounced.

As a temporary workaround, disabling the DPoP requirement on the client resolves the issue. I'm waiting for Okta's Thursday Support/Engineering review cycle to see if Engineering picks this up as a bug to fix.

It looks like the SDK is supposed to start rotating after 22 hours, but that doesn't appear to be happening. I have hourly jobs running at a minimum, so I shouldn't be hitting a scenario where there are no calls between the 22nd and 24th hour.
https://github.com/okta/okta-sdk-java/blob/master/impl/src/main/java/com/okta/sdk/impl/oauth2/DPoPInterceptor.java#L61-L62

[cchaubey]

We were able to resolve the issue similarly, but I thank you for posting it here @adenix .

[prachi-okta]

Hi, this has been addressed in the newer release v25.0.0 - we have updated refresh logic for token so the intermittent errors should now be resolved.