OAuth2: onAuthError callback not invoked

[shtools-gmbh]

Hi, i´m using version 7.1.1 of this library and i try to handle the case when refresh token is expired. There is the option onAuthError i found in your docs but can´t get it to work.

token refresh is working and the onTokenUpdate callback is triggered on update. Whereas on error with status code 401 the onAuthError callback is just not called.

halClient.use(oauth2({
                clientId: 'managerclient',
                clientSecret: 'secret',
                accessToken: access_token,
                refreshToken: refresh_token, 
                tokenEndpoint: endpoint, 
                onTokenUpdate: () => { // called on update
                    Logger.info('token refreshed');
                },
                onAuthError: (error) => { // not called. 
                    Logger.error(error);

                    // redirect to login
                    dispatch(navigateToLoginRoute());
                }
}));

Is there something i´m missing?

[evert]

Hi!

Normally I won't expect a 401 to trigger this error event, because a 401 alone should just cause the client to go back to the 'token' endpoint and refresh. If that fails, (typically with a 400 Bad Request), the event should trigger.

Does that describe your case? If yes, it's indeed likely a bug!

[evert]

It appears the onAuthError event is actually never called. I must have had plans to implement this, but never completed it

[evert]

@shtools-gmbh I have a PR #46. Do you have a way to test if this works for you?

[shtools-gmbh]

Hi,
first of all thank you for your efforts. I managed it to include the changed version in my project. For testing purposes i modified my code to use the updated OAuth2 fetchMiddleware by doint the following:

import { OAuth2 } from 'fetch-mw-oauth2'; // updated version from forked repo
...
const loginUser(access_token, refresh_token, endpoint) {
....
          const oauthTmp = new OAuth2({
                clientId: 'managerclient',
                clientSecret: 'secret',
                accessToken: access_token,
                refreshToken: refresh_token, 
                tokenEndpoint: endpoint, 
                onTokenUpdate: () => { 
                    Logger.info('token refreshed');
                },
                onAuthError: (error) => { // called now 
                    Logger.error('onAuthError', error);

                    // redirect to login
                    dispatch(navigateToLoginRoute());
                }
            });
            const oauth2 = oauthTmp.fetchMw.bind(oauthTmp); // inspired by ketting/src/http/oauth2.ts

            halClient.use(oauth2);
}

On the first occurance of invalid refresh token, the onAuthError callback is called and the user is redirected to the login page. So i would say, that your implementation is working now.
My problem now is that on the subsequent login a new access- and refresh token is set and for some reason onAuthError is triggered too saying that access- and refresh tokens are invalid and the user is immediately redirected to login-page again. As i can see in the error message, it uses the refresh token from the first login.
Sorry for mixing ketting and fetch-mw-oauth2 here... but is it possible, that it´s my usage of ketting.use() i have to change eg. reset somehow?

[evert]

Hi @shtools-gmbh, I don't fully understand why it would keep redirecting on subsequent errors. Given your use of dispatch() is it possible that this is an event that ends up on a redux event list, and never gets 'cleared' ?

Sorry for the super late reply here, I get a lot of messages from github and mis more than I'd like =(

[evert]

I'm closing this as fixed for the moment though, as far as I can tell the flow should be correct