jeroenheijmans/sample-angular-oauth2-oidc-with-auth-guards

Refresh token and silent refresh

mlbiche opened this issue · 3 comments

I have a question regarding to refresh token and silent refresh (maybe because I am pretty new to OAuth2 and OIDC).

The module documentation regarding to silent refresh using Code Flow does not mention any use of this.oauthService.silentRefresh() but instead the use of this.oauthService.refreshToken().

I am getting inspiration from you repo which is a great inspiration for getting starting with OAuth2 and OIDC within Angular and I am wondering why you use this.oauthService.silentRefresh() (auth.service.ts:109) and if you have seen this note in the module documentation ?
Also, you have not added offline_access in the scope as advised in the documentation. Is it on purpose ?

Thank you for your answer 😃

Hey! The sample uses the iframe based silent refresh currently. In #40 you can read up about caveats with this approach: basically if you serve your IDS on a different domain than your app, then you'll be in trouble.

Refresh tokens are one way to deal with that. As you said it requires offline_access in the scope. It should be quite possible to use that with my sample. Things to keep in mind:

  • Add offline_access to the scope, and you should get a refresh token
  • Change your client_id too if needed, and make sure your ID Server is allowed to give out refresh tokens
  • Add any additional mitigations in your architecture to prevent abuse of refresh tokens
  • (MAYBE - not sure if this is needed) => you might need to change the way my sample does refreshes, but maybe not

For that last point: just give it a go, and get back to us what you found! That might help others.

Hi !
Thanks for your quick answer. Just read your comment and the issue you are mentioning.
Yesterday, I managed to get refresh token working but I receive the refresh token even without adding offline_access to the scope. I even get an error from my IDS when I add offline_access to the scope. This situation may be specific to my IDS which is Keycloak.
Also, as the IDS server (id.myapp.com) is on a similar subdomain as the application (app.myapp.com) it may make things easier.

Here is what changes in my code so it may help people dealing with refresh token in Code Flow with Keycloak :

  • In initial login sequence, after loading the discovery document, trying loging and having an invalid access token (I am using an async/await format, but it is the same):
    if (this.oauthService.getRefreshToken()) {
      try {
        await this.oauthService.refreshToken();
      } catch(err) {
        // Refresh token has failed
        this.isDoneLoading$.next(true);
        this.user$.next(null);
      }

      // Refresh token has succeeded
      // Handle successful login
    }

    // Login failed and refresh token is missing
    this.isDoneLoading$.next(true);
    this.user$.next(null);

    return Promise.resolve();
  • In the authentication config, I have turn useSilentRefresh option to true.

I am open to any comment, tell me what you think about this solution and what is missing 😉

Thx for sharing! I think we can close this issue for now, right? Feel free to post if you have more to share with others landing here, or link to any fork you might have with such a setup.