Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SDK-1739] Recover and logout when throwing invalid_grant on Refresh Token #668

Merged
merged 5 commits into from
Dec 8, 2020
Merged

[SDK-1739] Recover and logout when throwing invalid_grant on Refresh Token #668

merged 5 commits into from
Dec 8, 2020

Conversation

frederikprijck
Copy link
Member

@frederikprijck frederikprijck commented Dec 7, 2020
edited
Loading

Description

This PR ensures the SDK can recover from being instantiated using an invalid Refresh Token.

  • When using getTokenSilently with RefreshTokens and the Refresh Token is expired:
    • invalid_grant error is caught and used to fallback to loginWithIFrame
    • loginWithIframe logsout the user when it returns a login_required error.

References

Closes #654
#449

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not master

@frederikprijck frederikprijck added the review:medium Medium review label Dec 7, 2020
@frederikprijck frederikprijck added this to the vNext milestone Dec 7, 2020
frederikprijck
frederikprijck commented Dec 7, 2020
View reviewed changes
static/index.html

if (e.error === 'login_required') {
_self.isAuthenticated = false;
}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This catches the login_required in our playground, allowing us to reset the authentication state when needed based on the response from Auth0.

@frederikprijck frederikprijck marked this pull request as ready for review December 7, 2020 14:37
@frederikprijck frederikprijck requested a review from a team as a code owner December 7, 2020 14:37
frederikprijck
frederikprijck commented Dec 7, 2020
View reviewed changes
src/Auth0Client.ts
e.message &&
e.message.indexOf(INVALID_REFRESH_TOKEN_ERROR_MESSAGE) > -1
) {
return await this._getTokenFromIFrame(options);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This introduces an additional request in Safari where we know up front it will return login_required, while for other browsers it might still work.

I do not think the SDK is currently tracking which browsers can use iframe, nor do I think it should so I wonder what you think about this extra request.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's fine to leave it, we don't do browser detection for this elsewhere and it will work for other browsers that also block third-party cookies.

stevehobbsdev
stevehobbsdev reviewed Dec 7, 2020
View reviewed changes
Copy link
Contributor

@stevehobbsdev stevehobbsdev left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, just had a comment about the double if statement.

src/Auth0Client.ts Outdated
Comment on lines 955 to 958
if (
e.message &&
e.message.indexOf(INVALID_REFRESH_TOKEN_ERROR_MESSAGE) > -1
) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we can unify this if block with the conditional above it, rather than having two if's? Feels like we could do it with an or expression.

@frederikprijck frederikprijck merged commit f04bac9 into master Dec 8, 2020
@frederikprijck frederikprijck deleted the frederik/sdk-1739 branch December 8, 2020 11:46
@frederikprijck frederikprijck added the CH: Fixed PR is fixing a bug label Dec 8, 2020
@thomasmicro thomasmicro mentioned this pull request Sep 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stevehobbsdev stevehobbsdev stevehobbsdev approved these changes

Assignees
No one assigned
Labels
CH: Fixed PR is fixing a bug review:medium Medium review
Projects
None yet
Milestone
v1.13.5
Development

Successfully merging this pull request may close these issues.

Can't create auth0 client when refresh token is invalid (e.g. outdated)
2 participants
@frederikprijck @stevehobbsdev