Store RT, add scopes to static-spa sample #527
Conversation
| @@ -266,7 +269,8 @@ function redirectToGetTokens(additionalParams) { | |||
|
|
|||
| function redirectToLogin(additionalParams) { | |||
| authClient.token.getWithRedirect(Object.assign({ | |||
| state: JSON.stringify(config.state) | |||
| state: JSON.stringify(config.state), | |||
| scopes: config.state.scopes.split(/\s+/) || config.scopes, // getWithRedirect doesn't obey scopes in constructor yet | |||
There was a problem hiding this comment.
I certainly think so.
lib/token.ts
Outdated
| }); | ||
| } | ||
|
|
||
| async function renewTokensWithRefresh(sdk: OktaAuth, options: TokenParams, refreshTokenObject: RefreshToken): Promise<any> { |
There was a problem hiding this comment.
Looks like the return type is TokenResponse instead of Tokens, which means the tokenManager cannot get proper tokens after the renew process.
lib/TokenManager.ts
Outdated
| tokenMgmtRef.renewPromise[key] = sdk.token.renewTokens({ | ||
| scopes: token.scopes | ||
| scopes: token.scopes, | ||
| refreshToken: storage.getStorage() |
CHANGELOG.md
Outdated
| @@ -1,5 +1,19 @@ | |||
| # Changelog | |||
|
|
|||
| ## PENDING | |||
There was a problem hiding this comment.
Can make this 4.2.0. package.json is already bumped, will be a normal release from master
There was a problem hiding this comment.
My inclination is to leave this as PENDING until we're ready for release, as it helps with people on github asking why the version on NPM doesn't agree with what they are seeing, but I'm open to persuasion.
| @@ -335,6 +354,7 @@ function showForm() { | |||
| // Set values from config | |||
| document.getElementById('issuer').value = config.issuer; | |||
| document.getElementById('clientId').value = config.clientId; | |||
| document.getElementById('scopes').value = config.scopes; | |||
There was a problem hiding this comment.
I think it would be less confusing if config.scopes in the samples was an array, consistent with what okta-auth-js expects. The conversion to/from string can be handled here in showForm. In the default test app, the array is converted to a comma separated string: https://github.com/okta/okta-auth-js/blob/master/test/app/src/form.ts#L51
Within the JSON serialized state param, it can remain an array. It only needs to be a string for the 2 cases:
- in the form
- as a standalone query parameter
These 2 cases are closely related because the form has method GET so submitting the form will set the query parameter with the value in the form. The serialized state object is used to save the config across redirects.
|
I tested it and it works. Nice job! |
CHANGELOG.md
Outdated
| - Adding the ability to use refresh tokens with single page applications (SPA) (Early Access feature - reach out to our support team) | ||
| - `scopes` configuration option now handles 'offline_access' as an option, which will use refresh tokens IF your client app is configured to do so in the Okta settings | ||
| - If you already have tokens (from a separate instance of auth-js or the okta-signin-widget) those tokens must already include a refresh token and have the 'offline_access' scope | ||
| - 'offline_access' is not requested by default. Anyone using the default `scopes` and wishing to add 'offline_access' should pass `scopes: ['openid', 'email', 'offline_access']` to their constructor (FIXME: Is constructor enough?) |
There was a problem hiding this comment.
Aaron has a fix for 4.1, should be backported after merging #535
lib/browser/browser.ts
Outdated
| @@ -427,6 +453,11 @@ class OktaAuthBrowser extends OktaAuthBase implements OktaAuth, SignoutAPI { | |||
| return accessToken ? accessToken.accessToken : undefined; | |||
| } | |||
|
|
|||
| getRefreshToken(): string | undefined { | |||
There was a problem hiding this comment.
remove this method if we want to expose refreshToken only internally for now.
brettritter-okta
force-pushed
the
br-hat-refresh-token
branch
2 times, most recently
from
487b942
to
7b79ac4
Compare
add methods: isPKCE, hasResponseType
brettritter-okta
force-pushed
the
br-hat-refresh-token
branch
from
068c677
to
168e41d
Compare
| // Revokes the refresh token for the application session | ||
| async revokeRefreshToken(refreshToken?: RefreshToken) { | ||
| if (!refreshToken) { | ||
| refreshToken = (await this.tokenManager.getTokens()).refreshToken as RefreshToken; |
There was a problem hiding this comment.
It might be better to get the token from authState (sync access), but as we are also using the same logic in revokeAccessToken, the change can be made in a separate PR.
There was a problem hiding this comment.
We get into a circular dependency if we try that. I brought it up and Aaron suggested we just do this.
There was a problem hiding this comment.
wondering how the circular dep happens? it should just be an access to the in-memory state
const { refreshToken } = this.authStateManager.getAuthState();
There was a problem hiding this comment.
I'm going off memory, but as I recall this.authStateManager didn't exist here.
| @@ -426,6 +451,11 @@ class OktaAuthBrowser extends OktaAuthBase implements OktaAuth, SignoutAPI { | |||
| return accessToken ? accessToken.accessToken : undefined; | |||
| } | |||
|
|
|||
| getRefreshToken(): string | undefined { | |||
There was a problem hiding this comment.
so we decided to keep the public method for refresh token?
There was a problem hiding this comment.
looks like it's neither in readme nor used in code, remove?
There was a problem hiding this comment.
We kept it because we're exposing it on authState anyway.
| @@ -20,6 +20,7 @@ const defaults = { | |||
| const spaDefaults = Object.assign({ | |||
| redirectPath: '/implicit/callback', | |||
| flow: 'redirect', | |||
| scopes: 'openid email', | |||
There was a problem hiding this comment.
I'm still not a fan of having scopes as a space-separated string here in the config. I would much prefer that scopes is an array, as it is for OktaAuth, and the conversion to string (comma or space separated) was done in the showForm() and conversion from string back to array is in loadConfig()
No description provided.