I have an angular 8 SPA application that makes use of the angular-oauth2-oidc library to authenticate onto a identity server using the code flow approach. This is all working fine to login and logout including the refresh token to pull new access tokens periodically.
The problem is when the refresh token lifespan is at it's end it as expected fails to get another token from the token_endpoint but if I were to call the login function at this point it automatically logs me in?! Despite the refresh token being invalid at this point and even if I waited a long period of time before calling login.
I was expecting to be prompted again for credentials given the token was expired. I'm hoping to find an explanation to this as currently a user of my SPA could easy gain an infinite session.
Does anyone know why this is happening?
Background: For testing -> refresh token expiry is set to 120(s) access token is set to 60(s)
My identity server 4 project is based off the provided quickstart example
angular-oauth2-oidc -> https://github.com/manfredsteyer/angular-oauth2-oidc
