Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Best practice to handle expired refresh tokens?
See original GitHub issueHello, I am using Azure AD as the auth provider and there is 24 hours lifetime of the refresh token. After 24 hours I am getting the following error in console log:
Does anyone have an advice how to handle this error? What is the best practice?
Currently I am thinking about handling it when access_token expires in this event by doing signOut.
mgr.events.addAccessTokenExpired(function () {
log("token expired");
chrome.storage.local.get(['user'], (data) => {
client.useRefreshToken({state: data["user"], timeoutInSeconds: 5 }).then(user => {
console.log("refreshedToken user: ", user);
mgr.storeUser(new oidc.User(user));
}).catch(err => {
// possible fail here is that the lifetime of the refreshToken ended.
// for AzureAD it is 24 hours for SPA. 90 days for all other apps.
console.error(err);
globalThis.signOut();
});
});
});
I feel like this is not the best UX for the users to be automatically signed out every 24 hours. Is there a better way?
Issue Analytics
- State:
- Created a year ago
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@Alino, an expired
refresh_tokendoesn’t mean theuser's sessionhas expired too. You don’t necessarily have to re-log in.What the blue box means:
Usually the flow of ODIC Auth code + PKCE is as follow:
access_tokento call your private APIsaccess_tokenis about to expire, an ajax call will be made with therefresh_tokento get complete new tokensrefresh_tokenexpire, you are stuck. You cannot ask for new tokens and there is no way to authenticate the user back without having him to interact somehow.There is a technique though, where you could be using an hidden iframe that would navigate to the OP and re-use the
session cookie. Allowing you to get tokens in returns, if a user’s session was still active. This is ideal (in theory) because completely transparent for the user.But web browsers like Safari are now using privacy features (ITP - Intelligent Tracking Prevention) that prevents third party cookies to be sent, making this technique useless (ie. my-app.com cannot use cookies from my-op.com even in a child frame). If you want to use cookies from my-op.com then you have to be on my-op.com (top frame).
So the only solution is to navigate to the OP from the top level frame instead of the iframe:
refresh_tokenexpiration=> no user interaction needed (just a back and forth, like if your app was refreshed) => regarding the UX, user’s would have to be prompted before the redirect occurs otherwise there is a risk for them to loose what they were doing
Understood, thank you. I have noticed the cookie inside the auth popups that are being opened when using
chrome.identity.launchWebAuthFlowThat brings me to the idea that I am going to testchrome.identity.launchWebAuthFlowwith non interactive mode perhaps, to see if that renews the refresh_token.EDIT: I have tested it, and it seems to work. But I am going to test for few more days.