Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

useHttpBasicAuthForPasswordFlow not working when refreshToken

See original GitHub issue

Hi everybody! I use password flow for OAuth2. I’ve configured with useHttpBasicAuthForPasswordFlow: true, it works fine with fetchTokenUsingPasswordFlow. But when I want to refresh the token, stop as it does not work

 this.oauthService.events.subscribe (e => {
      console.log ('oauth / oidc event', e);
      if (e.type == 'token_expires') this.oauthService.refreshToken (). then (value => console.log (value));
    };

I checked the Http Request Header, which does not have the Authorization header with Basic. Please help me. Thank you very much!

Issue Analytics

  • State:open
  • Created 5 years ago
  • Reactions:5
  • Comments:6

github_iconTop GitHub Comments

2reactions
smainzcommented, Dec 6, 2018

Hi,

I was about to file the same issue at the moment. The method refreshToken() does not set the Basic Authentication Header (oauth-service.ts, line 738):

        const headers = new HttpHeaders().set(
            'Content-Type',
            'application/x-www-form-urlencoded'
        );

as it does in fetchTokenUsingPasswordFlow():

        if (this.useHttpBasicAuthForPasswordFlow) {
            const header = btoa(`${this.clientId}:${this.dummyClientSecret}`);
            headers = headers.set(
                'Authorization',
                'Basic ' + header);
        }

        if (!this.useHttpBasicAuthForPasswordFlow) {
            params = params.set('client_id', this.clientId);
        }

        if (!this.useHttpBasicAuthForPasswordFlow && this.dummyClientSecret) {
            params = params.set('client_secret', this.dummyClientSecret);
       }

The obvious workaround would be to to copy this code into refreshTocken() or to extract a method and call it at both places, but I do not know what happen when using implicit flow if I did that.

@manfredsteyer: Any advice how I can help?

At the moment my workaround is crude (in the interceptor):

if (this.isLoggedIn) {
  // FIXME: oauth url is hard coded.
  if (!request.url.endsWith('/token')) {
    request = request.clone({
      setHeaders: {
        'Authorization': `Bearer ${this.auth.getToken()}`
      }
    });
  } else {
    // TODO: Workaround: angular-oauth2-oidc does not set Basic Authentication header
    //       in refreshToken(). We require it.
    // FIXME: user name and password are hardcoded.
    const auth = btoa('client' + ':' + 'secret');
    request = request.clone({
      setHeaders: {
        'Authorization': `Basic ${auth}`
      }
    });
  }
}
return next.handle(request);
1reaction
jeroenheijmanscommented, Dec 6, 2018

Seems like an omission to me then? A PR to fix this would be good.

The reason this might’ve been overlooked (apart from lacking tests) is that the Password Flow isn’t very popular (as it’s considered unsuitable for JS apps, meant for if you’re stuck with legacy architecture), and even when you do use that flow a client secret is quite useless (since the JS is public, not secret).

(I understand and appreciate that you and others might just have to deal with this flow, and the bug should of course be fixed. But at the same time I want to warn others landing here that still have a choice to consider other OAuth/OIDC flows.)

Read more comments on GitHub >

github_iconTop Results From Across the Web

Angular 6: refresh token not working as expected
I have auth.interceptor.ts to added each request with access_token to authorize the request. import {HttpEvent, HttpHandler, HttpInterceptor, ...
Read more >
Refreshing a Token - angular-oauth2-oidc
Refreshing a Token using Code Flow (not Implicit Flow!) ... Please also note, that you have to request the offline_access scope to get...
Read more >
Access Token Stops Working after Refresh Token - Help - Intuit
So, i have a working Access token object, then i use this object to do a refresh token, and i successfully generate a...
Read more >
Issue with refresh token - ServiceNow Community
By default, an instance issues refresh tokens with a 100-day lifespan in the scenario where the instance is the OAuth provider. For third-party ......
Read more >
Refresh Token - Constant Contact Community - 332029
How soon does the refresh token expire? ... We are working on a video to clearly document the problem and the way we...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

skipIssuerCheck flag is ignored

Next page

Keycloak Session Check of ImplicitFlow Received 403