Handle invalid refresh token responses

[t-knapp]

Hello folks,

I face a problem with autoRefresh enabled. If the tokenEndpoint responds with non-success http status code, the response body is still stored in localStorage. The value is not a valid AuthTokens object and crashes the jwt-decode call. Since the token values are read from localStorage, the app won't work even when reloading the whole page. Only fix is to remove the 'auth' value from localStorage.

If the response from tokenEndpoint is http 400 e.g. if the refresh_token expired (see: OIDC API Doc for tokenEndpoint https://connect2id.com/products/server/docs/api/token#overview), the response body should not be stored. Instead, a full login cycle should be kicked off.

It's a little bit tricky to reproduce - I mocked the http request on the tokenEndpoint to the IDP (Keycloak in my case) with a Chrome Extension https://github.com/mukuljainx/Mokku This is the body I returned in the mock

{
    "error": "invalid_grant",
    "error_description": "Invalid refresh token"
}

The fix proposed in this PR will start a new login cycle.

Kind regards, Tobias

[Booyaabes]

Same problem here, I have just made some tests with @t-knapp code, and it works.

[msalar-din]

@t-knapp can we have this feature flagged? so this only kicks off if the flag is true.

This PR is exactly what I feel was missing from this package. Thanks for it!