Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Automatic silent renew deletes profile from stored state

See original GitHub issue

Hello,

I noticed that the property profile of the object stored inside the session storage is overwritten when a silent renew is triggered. It looks like the response of the silent renew just overwrites the whole object.

State stored in session storage after signin with redirect callback: image

State stored in session storage after first silent renew: image

I also enabled the option loadUserInfo of the UserManager, but the silent renew doesn’t seem to respect it. It would be great if the stored profile would remain in place even after the silentRenew.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:16 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
pamapacommented, Mar 10, 2022

Idea: We could remove:

if (!response.isOpenId) {
  logger.debug("response is not OIDC, skipping claims processing");
  return;
}

and change the “if” code to:

if (response.isOpenId && claims.sub !== response.profile.sub) {
  logger.throw(new Error("subject from UserInfo response does not match subject in ID Token"));
}

_filterProtocolClaims should be fine for !isOpenId…

1reaction
kherockcommented, Mar 9, 2022

The reason that hacking openid back onto the scope returned in the response isn’t ideal is given here: https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/

The requested scope must not include additional scopes that were not issued in the original access token. Typically this will not be included in the request, and if omitted, the service should issue an access token with the same scope as was previously issued.

I think the better behavior here might be to simply discard the scope sent back from the IDP and just preserve the scope used in the original request?

Read more comments on GitHub >

github_iconTop Results From Across the Web

automaticSilentRenew is not working... · Issue #53 - GitHub
Hi ,. Great library! The automaticSilentRenew is not functioning. I setup my javascript similar to the provided sample.
Read more >
ASP.NET Core, C#, IdentityServer4, oidc-client - Silent Renew
Today we implement the ground work needed for silent refreshing of our tokens from our nuxtjs application using the oidc-client ...
Read more >
Delprof2 – User Profile Deletion Tool - Helge Klein
Delprof2 lets you explicitly specify which profiles to delete; Delprof2 bypasses security to delete profiles regardless of current permissions/ ...
Read more >
react-oidc-context - npm
To renew the access token, the automatic silent renew feature of oidc-client-ts can be used.
Read more >
Authentication State Persistence | Firebase - Google
Indicates that the state will only be stored in memory and will be cleared when the window or activity is refreshed. Modifying the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Silent renew error

Next page

Navigate back to login (browser back button) and then login => No matching state found in storage