Open fiedler-itlabs opened 6 months ago
In 2022 the creator added the decreaseExpirationBySec
property specifically to solve this problem (clockSkewInSec
set to a number less than or equal to 0 and still taking into account possible incorrect client clock).
The whole discussion took place in issue #1135. More specifically, he proposes the change in this comment and says that it is implemented in this one.
Describe the bug The default for angular-oauth2-oidc is a clock skew of 10 Minutes. I read all the other issues regarding clock skew and understand that this property is set to allow a user with an incorrect local clock to still use the token. But the current implementation also uses hasValidAccessToken in loadDiscoveryAndLogin which means this function returns true even so I don't have a valid access token. If I then call eg. loadUserProfile I get an error because my access token is invalid. I have setup the automatic token refresh but this only is trying to get a new access token after the previous call failed. If I set the clockSkewInSec to 0 everything works but clients with a incorrectly clock could have problems.
Stackblitz example none
Expected behavior loadDiscoveryAndLogin refreshes the token before returning "authenticated"
Desktop (please complete the following information):