Two token refresh requests use the same refresh token
See original GitHub issueDescribe the bug We are using IdentityServer4 with the angular-oauth2-oidc library. Authorization is done using Code-Flow and automatic refresh is enabled calling setupAutomaticSilentRefresh method. Login is working fine. Before the token expires the automatic refresh kicks in and refreshes the token. Normally that works fine. We get a new token and everything works. But sometimes two refresh token requests (R1 and R2) are sent at the same point in time and both use the same refresh token (RT). Request R1 is successful and we get a new fresh token from IdentityServer. But R2 fails because IdentityServer already generated a new refrsh token and the old refresh token (RT) is not valid anymore! The following request are working fine again.
Anyone who knows that issue? Any ideas how to solve it?
Do I need the silent-refresh.html page and setting the silentRefreshRedirectUri
(for code-flow!) as described in this example: https://github.com/jeroenheijmans/sample-auth0-angular-oauth2-oidc
To Reproduce Steps to reproduce the behavior: I haven’t found a way to reproduce it. I just do the following steps:
- Login
- Wait some time
- After a few successful refresh token requests maybe the error occurs (but only maybe)
Desktop (please complete the following information):
- OS: Win 10
- Browser: error occured on Chrome and Edge
- Version: angular-oauth2-oidc@8.0.4
IdentityServer Log:
dbug: IdentityServer4.Validation.TokenRequestValidator[0]
Start validation of refresh token request
dbug: IdentityServer4.Stores.DefaultRefreshTokenStore[0]
refresh_token grant with value: d52907154ce4ad550a96a49a57cffc5ec91b0040fa46b4530c409ecdb8c78401 not found in store.
warn: IdentityServer4.Validation.TokenValidator[0]
Invalid refresh token
warn: IdentityServer4.Validation.TokenRequestValidator[0]
Refresh token validation failed. aborting, {
"ClientId": "*************************.App.Client",
"ClientName": "*******************",
"GrantType": "refresh_token",
"Raw": {
"grant_type": "refresh_token",
"client_id": "********************.App.Client",
"scope": "openid profile email offline_access *****_api",
"refresh_token": "***REDACTED***"
}
}
Successful refresh token request (R1) with refresh token d5290…8401:
Failed refresh token request (R2) with refresh token d5290…8401 at “same time” as R1:
Log output in the console:
In the console “Error performing password flow” is printed as error. Why password flow? We use code-flow and never start a password flow.
Maybe related to this issue? https://github.com/manfredsteyer/angular-oauth2-oidc/issues/722 https://github.com/manfredsteyer/angular-oauth2-oidc/issues/724
Issue Analytics
- State:
- Created 4 years ago
- Comments:7 (2 by maintainers)
Top GitHub Comments
I cannot reproduce this behavior.
I think the order of things in the quickstart-demo is fine (though it doesn’t include any automatic or timed refreshes, just when you hit the button). Even if I setup a
timeoutFactor
of0.025
and dosetupAutomaticSilentRefresh()
in it I cannot reproduce the behavior.I cannot reproduce it in my own sample repository either, unless… you’d use a version before the commit where I compensate for #600 (no silent refresh via iframe available with code flow). In that case, my sample even for v8 will show an errorred out refresh that was happening because I prefer to try iframe-based refreshed at the start of my app.
Maybe OP was experiencing that behavior? @goflo could you check if you initiate
silentRefresh()
in your app somewhere? That’s not supported currently and causes the behavior you describe.Otherwise, we’ll probably need a repository or a StackBlitz example to further investigate…
@manfredsteyer : thanks for the info regarding v9 and Angular 8!
@jeroenheijmans : no, I don’t initiate a silentRefresh().
As I wrote above we are calling
setupAutomaticSilentRefresh()
now beforeloadDiscoveryDocumentAndTryLogin()
and until now it seems like that solved the issue. If it occurs again I will update to v9. For now we can close this issue.Thanks for your time!