Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How can I set auto token refreshing in password flow?

See original GitHub issue

How can I set auto token refreshing in password flow?

@NgModule({
  declarations: [
    AppComponent
  ],
  imports: [
    OAuthModule.forRoot({
      resourceServer: {
        allowedUrls: [`${environment.protocol}://${environment.hostname}`],
        sendAccessToken: true
      }
    })
  ],
  providers: [
    { provide: LocationStrategy, useClass: HashLocationStrategy },
    { provide: OAuthStorage, useValue: sessionStorage },
  ],
  bootstrap: [AppComponent]
})
export class AppModule {
}

  private readonly authConfig: AuthConfig = {
    issuer: 'issuer',
    oidc: false,
    clientId: 'clientId',
    scope: 'openid username role apps full-api offline_access'
  };

In service constructor:

    this.oAuthService.configure(this.authConfig);
    this.oAuthService.setupAutomaticSilentRefresh();

1., .loadDiscoveryDocument() 2., .fetchTokenUsingPasswordFlowAndLoadUserProfile()

Login successful, user logged in.

After a while, it tries to call:

Request URL: http://10.10.10.10:10/connect/authorize?response_type=token&client_id=clientId&state=ZEx4dGR2alltRC02V2J3NEowWTJoa1pNbXp4R2lNaHNBTEZOTlVRZlB5T0dC&redirect_uri=&scope=openid%20username%20role%20apps%20full-api%20offline_access&prompt=none
Request Method: GET
Status Code: 302 Found

And I got an error after that:

http://10.10.10.10:10/home/error?errorId=CfDJ8PFLaJy2spFGuE1ynrI...
Request Method: GET
Status Code: 404 Not Found
Remote Address: 10.10.10.10:10
Referrer Policy: no-referrer-when-downgrade

Why does it want to call /connect/authorize for token refreshing, why not call connect/token? What is wrong with my config?

Desktop

  • OS: Windows 10 latest
  • Browser: Chrome latest
  • Version: 10.0.3 latest

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:1
  • Comments:6

github_iconTop GitHub Comments

1reaction
jeroenheijmanscommented, Jul 31, 2020

No, sorry, no idea. RPO flow is deprecated and I don’t need to use or support it anywhere.

If I would need to use it (e.g. with a legacy server) I would probably not use a library but some form of handcrafted solution instead. RPO is so small that an entire library almost feels like overkill, usually.

Not really an answer to your questions, sorry. Possibly another community member can help out? Or you could dig through the code to see how things should work, and let us know what you found. Good luck!

0reactions
AlexGoris-KasparSolutionscommented, Aug 13, 2020

We’re using a password flow based auth mechanism and handle token refresh like so:

@Injectable({
  providedIn: 'root',
})
export class AuthService {
    constructor(private _oAuthService: OAuthService) {
        this._oAuthService.configure(authConfig);
        this._oAuthService.loadDiscoveryDocument();
        this._oAuthService.events.subscribe((e) => {
            switch (e.type) {
                case 'token_received':
                    this._oAuthService.loadUserProfile();
                    break;
                case 'discovery_document_loaded':
                    if (this._oAuthService.hasValidAccessToken()) this._oAuthService.loadUserProfile();
                    break;
                case 'token_expires':
                    this._oAuthService.refreshToken();
                    break;
                default:
                    break;
            }
        }
    }
}

This also handles loading of the user profile after getting an access token, and loading the user profile if the user still has a valid access token (from storage), which is in this way IMHO handled more elegantly than the provided examples in the documentation.

The token_expires event case will ensure that the token is refreshed when needed.

Read more comments on GitHub >

github_iconTop Results From Across the Web

What Are Refresh Tokens and How to Use Them Securely
This post will explore the concept of refresh tokens as defined by OAuth 2.0. We will learn how they compare to other token...
Read more >
Refresh access tokens - Okta Developer
This guide explains how to refresh access tokens with Okta. Learning outcomes. Understand how to set up refresh token rotation. Refresh access tokens....
Read more >
OAuth 2.0 Refresh Token Best Practices - Fusebit
In this blog post, we will focus on alternative number two: The authorization server automatically issues a new access token once it expires ......
Read more >
Refresh Tokens - OAuth 2.0 Simplified
To use the refresh token, make a POST request to the service's token endpoint with grant_type=refresh_token , and include the refresh token as ......
Read more >
Should access tokens be refreshed automatically or manually?
UI redirects to AS to authenticate the user via password · AS issues an access token and refresh token, then returns them to...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

OauthService.logOut(true) not logging out of the identity server.

Next page

Safari : getAccessToken() always returns false