Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: AutoLoginPartialRoutesGuard is not trying to silentRenew if refresh token still valid #1968

Open
machovec opened this issue Jun 17, 2024 · 2 comments
Open

[Bug]: AutoLoginPartialRoutesGuard is not trying to silentRenew if refresh token still valid #1968

machovec opened this issue Jun 17, 2024 · 2 comments

Comments

@machovec
Copy link

machovec commented Jun 17, 2024
edited
Loading

Version

17

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

22:32:30.476 [DEBUG] XXX - persisted idToken and accessToken are valid angular-auth-oidc-client.js:214:13
22:32:31.287 Navigated to https://<our-identity-provider>/auth?client_id=...
22:32:31.302 [DEBUG] XXX - persisted accessToken is expired

Steps to reproduce the behavior

Setup configuration like so:
export const authConfig: PassedInitialConfig = {
  config: {
    ...environment.oauth,
    postLoginRoute: '/',
    forbiddenRoute: '/forbidden',
    unauthorizedRoute: '/unauthorized',
    authority: environment.oauth.authority,
    redirectUrl: `${window.location.origin}/callback`,
    postLogoutRedirectUri: `${window.location.origin}/logout`,
    historyCleanupOff: true,
    responseType: 'code',
    silentRenew: true,
    useRefreshToken: true,
    renewTimeBeforeTokenExpiresInSeconds: 270,
    secureRoutes: [environment.api.xxx, environment.api.yyy],
    ignoreNonceAfterRefresh: true,
    renewUserInfoAfterTokenRenew: true,
    triggerRefreshWhenIdTokenExpired: false,
    logLevel: LogLevel.Debug,
  }
}
Use AutoLoginPartialRoutesGuard to protect some routes

During navigating betwen protected routes (using menu or links) 
in case the navigation is timed right after accessToken is expired 
but before silentRenew finish renewing accessToken using refreshToken. 
Guard is checking using method checkAuth() witch leads to 
isAuthenticated be false and continous to loginService.login(). 
This is redirect to our Identity provider and calls /auth endpoint 
starting new Code flow PKCE. This can by finished but in cost of 
returning in to app using /callback endpoint witch leads to lose app state on client.

A clear and concise description of what you expected to happen.

I wonder why AutoLoginPartialRoutesGuard is not 
trying to use still valid refreshToken to obtain new accessToken? 

I expect to try use refreshToken if is valid and only after fail start new login flow from scratch.

Additional context

No response
@machovec
Copy link
Author

machovec commented Jul 8, 2024

Probably this issue has same source like in #1883?

machovec pushed a commit to machovec/angular-auth-oidc-client that referenced this issue Jul 8, 2024
@lmachovec
ignoring renewTimeBeforeTokenExpiresInSeconds for correct detection o…
a5b8926 
…f validity tokens to address damienbod#1968
@machovec machovec mentioned this issue Jul 8, 2024
Open
@GeroldSchierholz
Copy link

Its related but we are not using the guard but call oidcSecurityService methods. This is why your fix will not solve the general problem but good idea to just override the "renewTimeBeforeTokenExpiresInSeconds" - although it looks like a hack ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@GeroldSchierholz @machovec