Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh token request doesn't include custom query parameters by default. #514

Closed
Hawxy opened this issue Jun 25, 2020 · 1 comment · Fixed by #524
Closed

Refresh token request doesn't include custom query parameters by default. #514

Hawxy opened this issue Jun 25, 2020 · 1 comment · Fixed by #524
Labels
bug report This issue reports a suspect bug or issue with the SDK itself bug This points to a verified bug in the code

Comments

@Hawxy
Copy link

Hawxy commented Jun 25, 2020
edited
Loading

Describe the problem

If you happen to have refresh tokens enabled and come back after token expiry the initial request will be missing the custom query parameters you specified within your client initialization, thereby breaking any rule that relies on them.

What was the expected behavior?

Silent auth requests involving refresh tokens should probably include any custom parameters you've specified by default. This includes both manually calling getTokenSilently and the initial checkSession call invoked by createAuth0Client.

Reproduction

  1. Enable refresh tokens, localstorage cache, and set the token lifetime to 90 seconds (for testing).
  2. Add a custom query parameter to the createAuth0Client options, say tenant_id: 'test'
  3. Perform a hard refresh so the authorize call is made and your refresh token cache populated.
  4. Wait a bit
  5. Do a page refresh.
  6. Watch as your rule sets itself on fire when it tries to access the tenant_id field as it isn't being sent.

Workaround

I'm aware I can work around this by calling checkSession manually and passing in the custom options, but I'd argue this is a poor development experience, as you'd expect the custom query params set on the Auth0Client to be sent to your rule regardless of if refresh tokens are enabled or not.

Environment

  • Version of auth0-spa-js used: 1.10
  • Which framework are you using, if applicable (Angular, React, etc): Vue.js
@Hawxy Hawxy added the bug report This issue reports a suspect bug or issue with the SDK itself label Jun 25, 2020
@adamjmcgrath adamjmcgrath added the bug This points to a verified bug in the code label Jun 25, 2020
@adamjmcgrath
Copy link
Contributor

Hi @Hawxy - yep, it should pick up those default parameters like the iframe method does.

Please continue to use the workaround you described for now and we'll schedule some work in to fix this.

@adamjmcgrath adamjmcgrath mentioned this issue Jul 13, 2020
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug report This issue reports a suspect bug or issue with the SDK itself bug This points to a verified bug in the code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[SDK-1789] Add custom initial options to the 2 getToken methods auth0/auth0-spa-js
2 participants
@Hawxy @adamjmcgrath