Closed vw98075 closed 1 year ago
JHipster 7.2.0 added support for refresh tokens.
https://www.jhipster.tech/2021/09/14/jhipster-release-7.2.0.html
You'll need to add offline_access
to your list of scopes in application.yml
for this to work.
Thanks, Matt for your quick response. I already upgraded the project to 7.2.0 last Friday and I don't see "offline_access" in the application.yml file. I have a look at ticket # 15424 and don't know how I can act.
You need to change your application.yml
file from having:
scope: openid,profile,email
To having:
scope: openid,profile,email,offline_access
Thanks for the info.
Hi, Matt,
I have made the change for over 24 hours. Here is my observation in regard to the issue after the configuration file change.
Reloading a page will keep the user sign in (in comparison to the logoff for the user). If a user clicks a button in the entity section after some idle time, the expected data doesn't show up on UI. There are the following log messages:
2021-09-21 10:27:29.087 WARN 28996 --- [ XNIO-1 task-5] o.z.problem.spring.common.AdviceTraits : Unauthorized: Full authentication is required to access this resource
2021-09-21 10:27:29.087 WARN 28996 --- [ XNIO-1 task-5] .m.m.a.ExceptionHandlerExceptionResolver : Resolved [org.springframework.security.authentication.InsufficientAuthenticationException: Full authentication is required to access this resource]
I guess two solutions for this problem. One is to prompt the user to the log-in panel. The other one is to take the same action as reloading a page prior to taking a request (by using a filter ?).
As far as I remember, oauth2 token are not stored at the client side (angular/react/vue). Probably doesn’t apply to ionic. They are stored at the session. Once the session expires, the token is gone. Offline will not help here.
Correction: stored inside cookies: https://github.com/jhipster/generator-jhipster/pull/15424#issuecomment-869079042
That's a good point @mshima. For Ionic and React Native, they should work with refresh tokens because the tokens are stored on the client.
Refresh tokens are working correctly. Default token is set to expire in 30min, once the grace period is met, 1 min: https://github.com/jhipster/generator-jhipster/blob/9d12776c8c52e2e087eee45e14631163d8d48d29/generators/server/templates/src/main/java/package/config/OAuth2Configuration.java.ejs#L30 The token is renewed correctly.
Here is one more observation:
After some idle time, I click "sign out" on a page in the entity section. And the click won't lead to any changes on the UI. The action leads to the desired result after I reload the page.
This issue is stale because it has been open 30 days with no activity. Our core developers tend to be more verbose on denying. If there is no negative comment, possibly this feature will be accepted. We are accepting PRs :smiley:. Comment or this will be closed in 7 days
I just have some free time to look into this issue. I am wondering whether a filter can be used to check a time-out status or not. Can someone from the JHipster team provide some associate in this regard?
@vw98075 I'd love to collaborate with you and figure out a solution for this. I think Spring Security has a way of saving the state between timeout and re-auth, so that might help. I'll add a bug bounty to fix.
I thought this one was fixed already.
Anyway, I had looked into this issue before actually. I tried to find where a user session data is stored without luck. Once I had the information, I could use a Spring Security filter chain to redirect any HTTP requests to the login if a user session is expired. I don't know whether this thought is too naive or not
I suppose this is duplicated of https://github.com/jhipster/generator-jhipster/issues/17316.
Overview of the issue
A user would run into an error when s/he uses the entity section of the Web UI after some idle time. The user was signed in before. If this user reloads a web page, s/he will be lead to the home page.
Motivation for or Use Case
A better user experience
Reproduce the error
Related issues
Suggest a Fix
JHipster Version(s)
7.1.0
JHipster configuration
Entity configuration(s)
entityName.json
files generated in the.jhipster
directoryBrowsers and Operating System