Code flow and automatic refresh token
See original GitHub issueI have been banging my head against this for many hours now and would appreciate some direction.
The setup:
- issuer: IdentityServer4
- client: Angular9 app
- back end API: many containerized, mostly .NET webapi core
Config excerpt:
responseType: 'code',
scope: 'openid profile email roles offline_access [...some more private]',
configure method:
private configure() {
this.oauthService.configure(authConfig);
this.oauthService.tokenValidationHandler = new JwksValidationHandler();
this.oauthService.loadDiscoveryDocumentAndTryLogin();
this.oauthService.setupAutomaticSilentRefresh();
}
Problem
Using code flow and not a problem to login with a user and to actually enforce the authorization both in client and back end by roles.
However, refreshing the token fails always and the behavior is ‘strange’ in my opinion. The client tries refreshing with two different refresh tokens consecutively and I receive two responses (see debugging log):
refresh tokenResponse
angular-oauth2-oidc.js:761
Object {id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IlV4NE5tOXhBQ0JyNVE0N2…", access_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IlV4NE5tOXhBQ0JyNVE0N2…", expires_in: 3600, token_type: "Bearer", refresh_token: "SOcPcu1GPcuM08Y1B1udzo3NJKYV4KLBhoqdUmfDWvo", …}
angular-oauth2-oidc.js:761
refresh tokenResponse
angular-oauth2-oidc.js:761
Object {id_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IlV4NE5tOXhBQ0JyNVE0N2…", access_token: "eyJhbGciOiJSUzI1NiIsImtpZCI6IlV4NE5tOXhBQ0JyNVE0N2…", expires_in: 3600, token_type: "Bearer", refresh_token: "iucZ4iJPKKXMx23zNUqbxEhontiPIXVTJHDf7aOW-5g", …}
The idtoken and the accesstoken are similar but the refresh is not. These request are sent one after the other (straight).
Then, I get two failures in a row:
Failed to load resource: the server responded with a status of 400 (Bad Request) [....omitted...]
Error performing password flow
angular-oauth2-oidc.js:1358
HttpErrorResponse {headers: HttpHeaders, status: 400, statusText: "Bad Request", url: "...omitted...", ok: false, …}
angular-oauth2-oidc.js:1358
Automatic silent refresh did not work
angular-oauth2-oidc.js:761
Failed to load resource: the server responded with a status of 400 (Bad Request) [...omitted...]
Error performing password flow
angular-oauth2-oidc.js:1358
HttpErrorResponse {headers: HttpHeaders, status: 400, statusText: "Bad Request", url: "....omitted...", ok: false, …}
angular-oauth2-oidc.js:1358
Automatic silent refresh did not work
Note the error ‘Error performing password flow’, which I am not sure is just a funny in the loging or it is actually trying a password flow… because IdentityServer4 is not complaining about the password flow but about the token not existing…
[2020-02-15T13:28:43.2741552+00:00][DBUG][31][IdentityServer4.EntityFramework.Stores.PersistedGrantStore] "zeIPcnCv0o9OAQ8bBK8J0YHKnX5I9JG8lDpRAPwSPyw=" found in database: False
[2020-02-15T13:28:43.2742509+00:00][DBUG][31][IdentityServer4.Stores.DefaultRefreshTokenStore] "refresh_token" grant with value: "iucZ4iJPKKXMx23zNUqbxEhontiPIXVTJHDf7aOW-5g" not found in store.
[2020-02-15T13:28:43.2743632+00:00][WARN][31][IdentityServer4.Validation.TokenValidator] Invalid refresh token
[2020-02-15T13:28:43.2747049+00:00][WARN][31][IdentityServer4.Validation.TokenRequestValidator] Refresh token validation failed.
Which I believe it is in the db.
Finally, at some point, the client will not be able to access the back end with the error ’ Token expired’
However, the client is still working fine with the user logged in. If I logout and login again, or simply send a login again (without actually logout), I will have access to the back end again since my new token is fresh.
Please, any advice or lead for me to be able to progress?
Issue Analytics
- State:
- Created 4 years ago
- Comments:12
Top GitHub Comments
@jeroenheijmans Possibly. However, see below as thebaron24 suggestion seems to work around it. I have it now running in a testing environment (compiles as production) and the messages are more explicit:
Odly, thebaron24’s suggestion seems to work… spooky! @thebaron24 Indeed! Thank you sir! Good for now.
@jeroenheijmans Sorry, have been out of the computer… Yes, that’s what I meant. Definitely written in much clearer way. I will be very happy to dig in the code and put the time myself and pass it back. The least I can do after using this fantastic lib.