Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refresh token rotation should be optional (fixes #1338) #1342

Merged
merged 4 commits into from
Jan 13, 2022
Merged

refresh token rotation should be optional (fixes #1338) #1342

merged 4 commits into from
Jan 13, 2022

Conversation

mduriancik
Copy link

Proposed solution to #1338. The idea is to separate the refresh token from authResult in the storage.
I have tested the solution and it resolves my problem.

Of course more refactoring and more tests could be needed.

@damienbod
Copy link
Owner

damienbod commented Jan 5, 2022
edited
Loading

Hi @mduriancik firstly thanks for the PR. I'm thinking about this. I think we need an allowUnsafeReUseRefreshToken: boolean configuration to activate this feature. Secondly not sure about having the refresh token saved twice to the session storage.

Not sure of a solution at present.

Greetings Damien

@FabianGosebrink
Copy link
Collaborator

Any news on this?

@mduriancik
Copy link
Author

Hi Fabien,

Thank's for your feedback. Yes, good idea, I can add the property allowUnsafeReuseRefreshToken (default true?).

Yes it is not quite "DRY" to store the refresh token twice (authResult and refresh_token), but as refresh_token can outlive the immediate authResult it looks to me the simplest solution.

Other solution: to modify the new authResult transfering the refresh_token form the previous authResult -> It looks to me less "elegant", but if you prefer this one I can change my PR. Do you see there other possibilities?

Milan

@damienbod
Copy link
Owner

damienbod commented Jan 10, 2022
edited
Loading

allowUnsafeReuseRefreshToken (default false?). We do not want to encourage this, this should only be used if the IDP is missing the feature. This is not a good idea and I'm not even sure we should support this. Maybe ADFS federation to AAD for public IDP would be better.

Greetings Damien

@mduriancik
Copy link
Author

added allowUnsafeReuseRefreshToken
a little bit of refactoring:

  • the storage property renamed: reusable_refresh_token -> to clarify the its purpose of this token
  • default refresh token location is in 'authnResult'
  • refresh token is stored in "reusable_refresh_token" only if the property is enabled

@damienbod damienbod merged commit b7a3c42 into damienbod:main Jan 13, 2022
@damienbod
Copy link
Owner

Hi @mduriancik I will add this to the next release , Thanks!

Greetings Damien

@sonzo
Copy link

sonzo commented Mar 3, 2022
edited
Loading

@damienbod

What is the status on this?

i can see the build didnt go through
https://github.com/damienbod/angular-auth-oidc-client/runs/4779278390?check_suite_focus=true

@everflux everflux mentioned this pull request Mar 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mduriancik @damienbod @FabianGosebrink @sonzo