I've been using the oidc-client-ts package, and I've encountered an issue regarding the support for refresh token rotation. This feature is a requirement for being able to securely store refresh tokens on the client side, and it's an important security measure that we currently have to disable, which unfortunately lowers our security standards.
Apart from the multiple tabs issue mentioned in #430, we've identified another problem that we hope can be addressed alongside. The issue is described as follows:
Currently, signinSilent() lacks a mechanism to prevent concurrent executions. When signinSilent() is executed concurrently, it attempts to use the same refresh token for multiple requests. However, due to refresh token rotation being enabled, subsequent requests fail because the refresh token has already been used to obtain a new access token and refresh token.
In scenarios where automatic silent renewal is enabled, there are timer tasks set to refresh tokens periodically. This makes it impractical to manually trigger signinSilent() as concurrent executions are inevitable. As a result, in certain situations, such as when the browser is just activated, it becomes impossible to manually trigger signinSilent(), and we have to rely on the automatic refresh mechanism.
Implementing a mechanism within signinSilent() to prevent concurrent executions could potentially resolve this issue. This would ensure that only one refresh operation is ongoing at any given time, thereby avoiding the aforementioned problems.
Looking forward to your assistance in addressing this matter. Thank you for your time and consideration.
pamapa
commented
3 weeks ago
Hello there,
I've been using the
oidc-client-tspackage, and I've encountered an issue regarding the support for refresh token rotation. This feature is a requirement for being able to securely store refresh tokens on the client side, and it's an important security measure that we currently have to disable, which unfortunately lowers our security standards.Apart from the multiple tabs issue mentioned in #430, we've identified another problem that we hope can be addressed alongside. The issue is described as follows:
Currently,
signinSilent()lacks a mechanism to prevent concurrent executions. WhensigninSilent()is executed concurrently, it attempts to use the same refresh token for multiple requests. However, due to refresh token rotation being enabled, subsequent requests fail because the refresh token has already been used to obtain a new access token and refresh token.In scenarios where automatic silent renewal is enabled, there are timer tasks set to refresh tokens periodically. This makes it impractical to manually trigger
signinSilent()as concurrent executions are inevitable. As a result, in certain situations, such as when the browser is just activated, it becomes impossible to manually triggersigninSilent(), and we have to rely on the automatic refresh mechanism.Implementing a mechanism within
signinSilent()to prevent concurrent executions could potentially resolve this issue. This would ensure that only one refresh operation is ongoing at any given time, thereby avoiding the aforementioned problems.Looking forward to your assistance in addressing this matter. Thank you for your time and consideration.