Closed mze9412 closed 5 years ago
Do you have any suggestion on what could be done on this side to fix this? I mean: if Google prevents cross origin iframe loads, then there isn't much that can be done about that on the library side, right?
Not really, that is my problem ;) Maybe automatically clear the token after the 60 minutes are over and throw an event that the token is no longer valid, so that the client application can at least log out the user.
The behaviour right now is that the client just continues to send an invalid token in the header which the server applications cannot use because it has timed out.
Actually Google has a refresh mechanism, documented here: https://developers.google.com/identity/protocols/OAuth2WebServer
Maybe the original token request needs to specifically request offline access for Google token?
Access tokens periodically expire. You can refresh an access token without prompting the user for permission (including when the user is not present) if you requested offline access to the scopes associated with the token.
Offline scope is something you could request, but I thought that was more for server side / API applications? Your link also goes to the docs about API clients, not web/js clients. Either way I don't think angular-oauth2-oidc supports Authorization Code flow, only Implicit and Resource Owner Password flows.
You could also check out #115 where it is claimed (a while ago, so the same-origin thing might've come after that? not sure) that it should work as expected.
I suggest looking at that other issue, and if you still run into problems try to make a minimal but complete repro for us, possibly trying Stack Overflow first where there's more people answering questions.
Yeah, I know :\
I used the information from #115 to get Google Oauth to run :) Is there a good way to hook into the token timeout with angular-aouth2-oidc? If so I could at least provide some automatic logout or reinitiate the implicit workflow when the token times out.
You can subscribe
to a filtered list of events of your choice to do what you want I think, or set up such antimer yourself of course.
I will try with 'token_expired' tomorrow, I did not see it happen on the console via logging
Try using this gist for extra logging if you aren't already. In addition, try lowering the timeoutFactor
to make testing easier.
Yeah, that is what I am doing :)
So I work around the issue for now by using timeoutFactor 1.0 and when I get a 'token_expires' event I will logout the user.
My workaround for now is this (within the event handler for the status events):
else if (e.type === 'token_expires') { console.warn(e); this.oauthService.logOut(); this.oauthService.initImplicitFlow(); }
Google seems to set the X-Frame-Options header to "sameorigin", this leads to the following error during silent refresh:
To reproduce just use Google for OAuth and setup silent refresh after logging in via their provider:
this.oauthService.events.subscribe(e => { if (e instanceof OAuthSuccessEvent && e.type === 'token_received') { this.oauthService.setupAutomaticSilentRefresh(); } });
Settings for AuthConfig: issuer: 'https://accounts.google.com', redirectUri: window.location.origin, silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html', clientId: '', strictDiscoveryDocumentValidation: false, scope: 'openid profile email', showDebugInformation: true, timeoutFactor: 0.1,
clientId must contain your own id, ofcourse
emmm..., I have the same problem as ! The same error will be reported when I set the auth server access-token-validity-seconds to 1800s. But when set to 250s, there is no exception.
Reading back it seems there's not too much left to do within this library? Let us know if we should reopen the issue, if there's still something else to be done here....
I am using am internal ForgeRoch server and implicit flow, but I got the same error and therefor I am not able to do silent renewals. Is there a way to do the renewal in a popup window? If not, this could be a feature request.
Google seems to set the X-Frame-Options header to "sameorigin", this leads to the following error during silent refresh:
To reproduce just use Google for OAuth and setup silent refresh after logging in via their provider:
this.oauthService.events.subscribe(e => { if (e instanceof OAuthSuccessEvent && e.type === 'token_received') { this.oauthService.setupAutomaticSilentRefresh(); } });
Settings for AuthConfig: issuer: 'https://accounts.google.com', redirectUri: window.location.origin, silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html', clientId: '',
strictDiscoveryDocumentValidation: false,
scope: 'openid profile email',
showDebugInformation: true,
timeoutFactor: 0.1,
clientId must contain your own id, ofcourse