Skip to content
English
Contact us
  • There are no suggestions because the search field is empty.

Why does Okta SSO login fail until the page is refreshed?

Users accessing Quilt through Okta SSO may encounter a login failure that resolves only after manually refreshing the page. This is typically due to a failed SSO access token refresh caused by session or token handling issues.

Symptoms

Some users experience authentication errors when accessing Quilt via Okta SSO. Upon initial login, the page displays an error message and fails to load protected resources. Manually refreshing the page allows access to resume normally.

Observable indicators:

  • “Something went wrong” error message on screen

  • Console logs showing:

    • GraphQLError: Failed to refresh SSO access token

    • HTTP 401 errors from graphql endpoints

  • Affected products: Quilt Catalog (via Okta SSO)

  • Affected users: External collaborators or users with intermittent login success

Likely Causes

  • Session or token expiration before frontend retry logic executes

  • Session cookies not being sent or blocked due to SameSite/CORS restrictions

  • Okta session not persisting across login and token refresh attempts

 

Recommendations

1. Check Token Storage and Delivery

Ensure that the identity and access tokens are correctly stored and included in requests after login.

  • Inspect browser storage (Cookies, LocalStorage, or SessionStorage) to confirm that tokens are present:

    • Look for tokens like idToken, accessToken, or session-related cookies (e.g. sid)

  • Use DevTools to inspect failed /graphql requests:

    • Check that an Authorization: Bearer <token> header is present

    • Confirm session cookies are being sent with the request

If tokens or cookies are missing, the frontend will fail to authenticate and return a 401 error until a page refresh re-establishes them.

 

2. Verify Okta Session and CORS Settings

Okta may not recognize or maintain the session properly across redirect and token refresh steps.

  • In the Okta Admin Console:

    • Go to Security → API → Trusted Origins and verify that the Quilt domain (e.g. https://quilt.yourcompany.com) is listed for both CORS and Redirect.

    • Check Security → Session settings for session lifetime and idle timeout limits.

  • Make sure the session cookie has:

    • SameSite=None; Secure attributes if used across domains

    • No restrictions from browser privacy features (especially in Safari or Brave)

     

3. Workaround for Users

If the login fails, users can try:

  • Clicking the “Reload Page” button (if visible) or manually refreshing the browser

  • Logging out and logging back in to reset the session

  • Using a private/incognito browser window to eliminate cached or blocked cookies