Client creates a new token for each page load/refresh

[marten]

I'm not sure what's going on, but if you look at the Network requests you'll see a POST /oauth/token every time, which then generates a new token on the Panoptes side. Shouldn't the client, after login, stick the access token, refresh token and expiry time somewhere in a cookie/localstorage and keep using that?

[eatyourgreens]

Should be fixed by #75, which stores the token details in session storage. New windows or tabs will probably still issue token requests, because they don't share session storage.

[eatyourgreens]

Actually, reading this again, this might be a bug in auth.js rather than oauth.js.

[camallen]

Sticking the token in local storage could be an issue for shared computers, ideally a sign out event will clean this up combined with a check on expired tokens during page load, etc.

However we can certainly be smarter about token expiration and re-use than what we currently are. Specifically auth.js and oauth.js share common concerns around token lifecycle events but don't share any code. Ideally we should have different strategies:

1. credential flow current auth.js
2. implicit flow current oauth.js To get the token that then pass into a common token re-use and management with hooks to renew tokens, etc.

[eatyourgreens]

This is called from Auth.checkCurrent. I'm not 100% sure what current thing that is checking, but I think it's the current user. https://github.com/zooniverse/panoptes-javascript-client/blob/4ef31ecdfa5fb8f4617be408dc52a5c4ece940ad/lib/auth.js#L39-L64

[eatyourgreens]

Both credential flow (auth.js) and implicit flow (oauth.js) are legacy now and not recommended for use.

OAuth 2.1 doesn’t allow the credentials flow at all.