access_token never changes

[mellis481]

I'm working to implement silent renew at the moment and discovered that the access_token that I'm getting from my IdP never changes. I logged in this morning and noticed that the access_token I received was the same as the one I had three days ago. Thinking it might be due to a retained browser storage item, I switched browsers (from Chrome to FF), cleared any residual oidc.******************** local storage objects in FF, then logged in with my IdP. The access_token I received in FF was the same as the one I got in Chrome this morning which was the same as the one I had three days ago in Chrome.

As far as code, here is my client setting object:

{
    "authority": "https://my-auth-server/identity",
    "client_id": "my-client-id",
    "post_logout_redirect_uri": "https://localhost:9000/ui/loggedout",
    "redirect_uri": "https://localhost:9000/ui/authorize",
    "response_type": "id_token token",
    "scope": "openid profile"
}

I'm simply calling userManager.signinCallback() when the IdP redirects to my authorization callback endpoint. And I'm retrieving the access_token by calling userManager.getUser().

My expectation (especially with the silent renew work I'm doing which, as I understand it, returns a new access_token) is that each authenticated session would have a different access_token.

What am I doing wrong?

[brockallen]

The access token in your code does not change, or the access token in storage does not change?

[mellis481]

Going all the way back to the source, the access_token in the redirect URL from the IdP login screen to my client's authorization callback endpoint never changes.

[mellis481]

I'm seeing this with another IdP too which makes me think it's something to do with how I have oidc-client-js set up.

I updated my client settings to point to a second, completely separate IdP and I'm seeing the same access_token for the IdP across browser sessions and, after logging out and logging back in. To be clear, this access_token is different than the one provisioned by the first IdP, but every session for this second IdP has the same access_token as other sessions for the second IdP.

[brockallen]

I just ran the VanillaJs sample in the repo and used the "code flow w/ IdentityServer" version and got these two access tokens:

  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjVDQ0FBMDNFRERFMjZENTMxMDRDQzM1RDBENEIyOTlDIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MTIyMDU0NDUsImV4cCI6MTYxMjIwOTA0NSwiaXNzIjoiaHR0cHM6Ly9kZW1vLmlkZW50aXR5c2VydmVyLmlvIiwiYXVkIjoiYXBpIiwiY2xpZW50X2lkIjoiaW50ZXJhY3RpdmUucHVibGljIiwic3ViIjoiMTEiLCJhdXRoX3RpbWUiOjE2MTIyMDU0NDQsImlkcCI6ImxvY2FsIiwianRpIjoiNDI3RkI3MjBGNDVFQ0FBNkZGQUZCNkIzRThEMUZBNzYiLCJzaWQiOiJEMzY4Q0ZFRDIyNUM3RkY1MEM1MkY4RTIwNzlGQjI1NyIsImlhdCI6MTYxMjIwNTQ0NSwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSIsImFwaSJdLCJhbXIiOlsicHdkIl19.puyBPtKIJfP5kb-x7TeDTUJ5UU5-qEQpZOLua-A5I4aG0Bt3AYWHaBlAiuER6j-yoSD_CAERQBj6zjDichAwwVaUGdPANJUAtPQQNwQggKwKbr-35kNlEAc2LkKf0cEpBLOiAxYXO0QDOtIGH4sQuV2CupLHx9hye0XMqdsLtOwKkbi5OfU44nsvxI2WEmGUTgU3yQss8oZ8E6sO-_AcU1MVe57bi4bUTBEP6Nshwbqd_XhgvJrKjWUQfDDDU5FoJTfneHRur7PoWBAY7MeIjfOy2QBbkY54Q3WcpTvN7MrQ3ioaPduYgtsJvMDmizPsJ0skqCXYnaPX7IYYduAK9A",

  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjVDQ0FBMDNFRERFMjZENTMxMDRDQzM1RDBENEIyOTlDIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MTIyMDU0NTYsImV4cCI6MTYxMjIwOTA1NiwiaXNzIjoiaHR0cHM6Ly9kZW1vLmlkZW50aXR5c2VydmVyLmlvIiwiYXVkIjoiYXBpIiwiY2xpZW50X2lkIjoiaW50ZXJhY3RpdmUucHVibGljIiwic3ViIjoiMTEiLCJhdXRoX3RpbWUiOjE2MTIyMDU0NDQsImlkcCI6ImxvY2FsIiwianRpIjoiRDlCQTFCNEFERjQ1NTVDQkNBNEVBOUI1MkEzQkQwOTMiLCJzaWQiOiJEMzY4Q0ZFRDIyNUM3RkY1MEM1MkY4RTIwNzlGQjI1NyIsImlhdCI6MTYxMjIwNTQ1Niwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSIsImFwaSJdLCJhbXIiOlsicHdkIl19.e-zbzDCkJJZGzBqAr8Ep8xditW84cqfJMhAJyOVvmqpNsNzRYo5XanNtN8cjeDkNj5HYahXUuJvJQudHOq6uEgFFaKhwTSP5pilz1QO7guBbgwqhv-4InPMHU8QHmqnjV5JtP-G2O7AhuCV88Z2h-COeoW24zV6KOQkaGSG7qdNW0jXQisDmB3NMbTn3Kl_OlnsMAVNVwberC3H1S1r4ZK9qR2BK_rVI6EVr4Pu0eGOsHPWZd0XEcce3oLkIXfWRTt2YaNauX_LEqNsny_c_26S-uISwvDLNhHRjCD8qzEC6jCvTk-_HDo8jb6KUSxvi9IdE6xGEqLWTY5G6lm9U-A",

So I'm pretty sure we're getting the updated/new access tokens on silent renew.

[brockallen]

As for then why you're not seeing it, I'm not sure. The design of the UserManager is that there should be only one instance on the page, and your call to getUser only returns the current data from storage. After the silent renew, you will need to get the updated user into your app layer code.