Open rouven-s opened 4 days ago
HttpInterceptor does not allow correct workflow without refresh token fallback.
I do not think this is an accurate description. The behavior you are seeing is expected. AllowAnonymous is meant exactly for this (ignore when we have no token, pass the token when we do have one). You will see the same behavior when u set useRefreshTokenFallback
to true and you have no active session with Auth0.
I think your use-case is rather unique in such a way that I'd recommend rolling your own interceptor.
@frederikprijck but doesn't that mean that the interceptor can never be used correctly when not using the refreshFallback option? Since you can't react to the "getAccessTokenSilently" the way that is recommended here: https://auth0.github.io/auth0-spa-js/interfaces/Auth0ClientOptions.html#useRefreshTokensFallback
If that's the case, it would still be great to somehow use the "findMatchingRoute" method using the SDK, since otherwise I'd have to copy it for the custom solution and it will be out of sync with future updates to the SDK
You can, but not with allowAnonymous set to true for the endpoint.
Im happy to review a PR that makes it protected.
Checklist
Description
Due to browser restrictions we had to disable the refresh token fallback (useRefreshTokensFallBack: false) and are now catching the according potential errors as described (https://auth0.github.io/auth0-spa-js/interfaces/Auth0ClientOptions.html#useRefreshTokensFallback) during the login flow, which works correctly.
We have API routes that are accessible anonymously but provide additional information for logged in users. They are configured using "allowAnonymous: true". When the access token for these expires, but the user is authenticated, we would like to do a loginWithRedirect to retrieve a new token.
The problem is that the AuthHttpInterceptor does a "getAccessTokenSilently()" (which will fail with "missing_refresh_token"), then checks if the route is configured as "allowAnonymous" and ignores the error if this is the case, executing the request without a token and without a possibility to react to the error as a result. (See https://github.com/auth0/auth0-angular/blob/main/projects/auth0-angular/src/lib/auth.interceptor.ts#L72)
I can see two possible solutions:
tl;dr Current AuthHttpInterceptor implementation does not comply with recommended workflow for "useRefreshTokensFallBack: false" configuration (see example https://auth0.github.io/auth0-spa-js/interfaces/Auth0ClientOptions.html#useRefreshTokensFallback)[](url)
Reproduction
Additional context
No response
auth0-angular version
2.2.3
Angular version
18.0.0
Which browsers have you tested in?
Chrome, Firefox, Other