search

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
MIT License
572 stars 151 forks source link

When trying to refresh the access token after a user has been signed out on the server, the connect/token endpoint get's spammed. #1265

Closed dpcodes closed 5 months ago

dpcodes commented 5 months ago

We use IdentityServer4 as our IDP. We also have an SSOLifetime set meaning that the user needs to re-authenticate after X amount of time.

The silent refresh works perfectly, except when it tries to refresh after passing the SSO expiration. It will redirect to the SessionLost component like expected, but then it will completely spam the connect/token endpoint.

The error in appinsight is simply that the refresh token is invalid, as expected since when the IDP logs you out, it also revokes all your tokens.

First, everything goes well, the first refresh works: image

But then, once it tries to refresh after the SSO expires: image It seems to be stuck in a loop of begin > error

Configuration is nothing special: image

Expected Behavior: I would expect once we hit the SessionLost component that we either wait for a refresh of the browser to retrigger the flow, or query the connect endpoint at a set interval, but not crazy fast like it does right now.

Not exactly sure why it's looping like such, was hoping you'd have more insight.

Thank you!

guillaume-chervet commented 5 months ago

Hi @dpcodes thank you very much for your issue and all détails. It should be a big bug. I will try to reproduce it and fix it today.

guillaume-chervet commented 5 months ago

hi @dpcodes ,

I fail to reproduce it. I remove cookie from the demo configured with only silentsignin and it seem to work.

Do you have more information? a video or something else?

image

dpcodes commented 5 months ago

I believe the config you are trying is different than what we have:

  1. We are NOT using cookies
  2. We are using refresh token
  3. We have a set expiry time (using UserSsoLifetime) on identity server
  4. We are using the service worker

It fails trying to use the refresh token (expected) once the user gets forcibly logged out passed the SSOLifetime and then loops.

guillaume-chervet commented 5 months ago

hi @dpcodes do you still have the problem with the latest version ?

guillaume-chervet commented 5 months ago

hi @dpcodes version 7.15.4-alpha.1309 should fix the loop !