Refresh Token failure when multiple tabs are opened.
Closed this issue · 1 comments
Since the token system. uses Refresh Token Rotation, a refresh token can be only used once. If a specific refresh token is used more than twice, following token will be blocked.
Current system uses a TokenRefreshScheduler which refreshes the access token before it expires.
The problem kicks in when multiple tabs are opened. All the opened tabs will eventually refresh the token at the same time, and it will cause the token to be blocked.
Possible solutions that come to my mind are:
- Use session storage and somehow allow only one tab to refresh the token.
- Disable the token scheduler when user loses focus, and re-enable it when user comes back to the tab. This is not a good solution because token won't refresh while user is away from the tab. To properly implement using this method, browser has to check the token expiration time by making a request to the server and refresh the token accordingly.
- Refresh the token only when user faces 401 TokenExpiredError. Then, retry request that caused the error. This is very common solution, but it might lead to another issues (what is there are multiple concurrnet requests?), and the flow will get complicated.
I am going for first solution since it is easier to implement. However, the third solution is also a worth a try. May be I will try it later.
I had to use localStorage because sessionStorage is not shared within different window (it only works on same window with multiple tabs)
The counter increases on page init & page focus. I think I should reimplement this with 3rd solution because it is quite hacky...