search

keycloakify / oidc-spa

Openid connect client for Single Page Applications
https://www.oidc-spa.dev
MIT License
70 stars 7 forks source link

non jwt refresh tokens #33

Closed mftruso closed 1 month ago

mftruso commented 1 month ago

Microsoft Entra ID does not use JWTs for refresh tokens.

Refresh tokens are encrypted and only the Microsoft identity platform can read them.

However, there are various checks in this library to read the refresh token expiration time. https://github.com/keycloakify/oidc-spa/blob/main/src/oidc.ts#L1672

Is there a way to bypass those checks in cases like this where the refresh token is not a JWT?

garronej commented 1 month ago

Hello @mftruso,

Thanks for reporting.

I've released a candidate fix: https://github.com/keycloakify/oidc-spa/blob/d0559ce60b659fb15b5da957b9054260edfa63b8/src/oidc.ts#L1675-L1682

(This log is printed to the console only when debug mode is enabled)

You can try with oidc-spa@5.4.1-rc.0 let me know if it fixes it for you.

garronej commented 1 month ago

This have been released in the official latest.
I hope it works, let me know if it doesn't.