-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code Flow erroring out due to multipe expiry events #632
Comments
Thanks for the extensive details! I recall seeing similar issues (or at least: ones with similar symptoms), but can't find them at the moment... |
I see same behaviour in our application. We think the problem is in de setupSilentRefreshEventListener method. During refresh, tryLogin().. happens asynchronously so window.addEventListener('message', this.silentRefreshPostMessageEventListener); gets called before the asynchronous method finishes and replaces the tokens. Calling this method fires the second "token_expires" event.
|
I'm not sure, if this is the reason b/c @Jejuni Did you find a solution or do you have a proposal for a solution. I'll look into this when making the next version ready, which will be soon b/c of Angular 9. |
Hey, the bug happens with both implicitFlow as well as code flow. The initial request is sent twice. This doesn't overly affect implicitFlow as it's just incurs an additional trip to the IdP. Sadly we haven't implemented any satisfactory solution as of now. |
I see. I'll find a solution for the next major version which lands very soon (as Angular 9 is already RC). I make this a priority! It's important for security and to align with current best practices. Also thanks to @BioPhoton for pointing me to this! |
Will be solved with Angular 9 which lands soon. |
Describe the bug
When OAuthModule is set up, on initial app load, the code flow behaves as expected. Redirection occurs as expected, tokens are stored in sessionStorage (as per default) and refresh token usage works as expected as well (at 75% life of token, refresh token is retrieved from storage and sent to IdP to get new tokens).
When the user now hits F5, the flow initiates, but the "token_expires" event fires twice at the same time with info "id_token". This retrieves new tokens twice, also meaning that 2 refresh tokens get generated. Only one of these is valid thereafter, though.
Once the token expire again the "token_expires" event only fires once. However, at that point it's a gamble whether or not the valid refresh token was saved to storage. If the valid token was saved everything works as expected. If not the IdP rejects the call saying the refresh token was invalid.
This ALSO happens with implicit flow. After F5'ing the token_expires event fires twice. But since implicit flow just logs the user back in there is no problem with invalid data. It is, however, a wasted call.
To Reproduce
Set up a standard Identity Server configuration with localhost:5000:
Setup a very simple Angular app with ng new:
app.module
Switch the implementation of app.component to:
Expected behavior
The "token_expires" event only ever fires once for the actual situation of a token expiring.
Desktop (please complete the following information):
EDIT 1:
This problem also happens with the sample application provided with the repository.
Simply set the timeoutFactor on the config to some low value (0.01) and you can see the event being emitted twice. Also of note is that for an actual error to occur the identity server needs to be set to RefreshTokenUsage = OneTime (which generates a new refresh token every time). I believe the sample apps setting is set to ReUse, which circumvents the problem.
The text was updated successfully, but these errors were encountered: