Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OAuth token refreshes in reference client are brittle #2816

Open
mary-ext opened this issue Sep 14, 2024 · 1 comment
Open

OAuth token refreshes in reference client are brittle #2816

mary-ext opened this issue Sep 14, 2024 · 1 comment
Assignees
Labels
bug Something isn't working

Comments

@mary-ext
Copy link
Contributor

mary-ext commented Sep 14, 2024

Describe the bug

As in the title, token refreshes are very likely to fail resulting in a log out if the user happens to be reload the page at the wrong moment.

To Reproduce

Steps to reproduce the behavior:

  1. Use the OAuth browser library and sign in
  2. Wait 10+ minutes and for token to expire
  3. Refresh the token
  4. While refreshing, reload the page.

Expected behavior

It shouldn't be likely for reloads to sign you out

Details

While this is entirely unavoidable, this seems to be mostly happening because the client needs to verify whether the new access tokens are received from the right issuer.

const resolved = await this.oauthResolver.resolveFromIdentity(sub, {

Since this happens in between a request to refresh tokens and actually storing that token, this leaves quite a gap, one that's especially big on slow networks, on said tokens potentially getting lost before it makes its way into IndexedDB

As we aren't doing a stale-while-refresh approach for identity and metadata resolution, this is bound to happen every 10 minutes, as that's what the cache expiry time is currently configured at.

@mary-ext mary-ext added the bug Something isn't working label Sep 14, 2024
@mary-ext mary-ext changed the title OAuth token refreshes are brittle OAuth token refreshes in reference client are brittle Sep 14, 2024
@mary-ext
Copy link
Contributor Author

I suppose moving resolveFromIdentity to refresh method might be the answer? So long as we're not doing it in-between it seems fine.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

2 participants