Open mr-nothing opened 3 weeks ago
hi @mr-nothing thank you for your issue,
Do you have a sample of your configuration? Are you using service worker ?
Do you have a sample of your tokens reuqest response ? main logic is here : https://github.com/AxaFrance/oidc-client/blob/4fa4992af022a88ce58a2e31580e93acab8dc3fb/packages/oidc-client/src/parseTokens.ts#L90
You can play with these parameters to find your best configuration :
configuration: {
refresh_time_before_tokens_expiration_in_second: Number, // default is 120 seconds
token_renew_mode: String, // Optional, update tokens based on the selected token(s) lifetime: "access_token_or_id_token_invalid" (default), "access_token_invalid", "id_token_invalid"
token_automatic_renew_mode: TokenAutomaticRenewMode.AutomaticOnlyWhenFetchExecuted, // Optional, default is TokenAutomaticRenewMode.AutomaticBeforeTokensExpiration
// TokenAutomaticRenewMode.AutomaticBeforeTokensExpiration: renew tokens automatically before they expire
// TokenAutomaticRenewMode.AutomaticOnlyWhenFetchExecuted: renew tokens automatically only when fetch is executed
// It requires you to use fetch given by hook useOidcFetch(fetch) or HOC withOidcFetch(fetch)(Component)
logout_tokens_to_invalidate: Array<string>, // Optional tokens to invalidate during logout, default: ['access_token', 'refresh_token']
},
Issue and Steps to Reproduce
refresh_time_before_tokens_expiration_in_second
to30
andtoken_renew_mode
toaccess_token_invalid
.client idle session time
to5 minutes
andclient max session time
to5 minutes
.Versions
oidc-client - 7.22.4
Expected
When session is going to expire in 30 seconds I expect client not to do any requests to refresh token despite the fact that we have 30 or less seconds remain before access token expire since every new token's expiration time will be constricted by session max time anyways.
Actual
When session is going to expire in 30 seconds oidc client make requests to refresh access token approx every second which is frustrating in case of short living keycloak sessions (30 to 60 minutes for example). I saw this section in FAQ but it states that it is kinda ok and I think this behaviour can be fixed pretty easy just by not refreshing token on a periodic basis and to refresh it only in case something bad happened (e.g. 401, 403 or some other scenarios) if it is required at all.
Thanks in advance for clarification and any info!