0

I have SPA developed application on which I used to implement Oidc-Client for OAUTH authentication and below are the clarifications.

  1. How to configure silent-refresh page with web pack config file in angular structure based project since silent-refresh.html is not invoked on token expiration.
  2. Even if silent token generated then how to get/set expiration time of silently generated token?

Kindly help and suggest.

Muruga ananth
  • 89
  • 11

2 Answers2

0

SILENT REFRESH

Rather than a separate HTML page, my personal preference is to handle this by a silent token renewal response to the index.html page. Then write code like this:

if (window.top === window.self) {

    // Run the main app
    const app = new App();
    app.execute();

} else {

    // If our SPA is running on an iframe, handle token renewal responses
    const app = new IFrameApp();
    app.execute();
}

I find that this approach avoids adding complexity to the WebPack / build system. The code for the iframe app does very little other than receiving the silent token renewal response.

EXPIRY

Interesting why you want to use access token expiry times directly. You can get the value like this:

const user = await this._userManager.getUser();
if (user) {
  console.log(user.expires_at);
}

The real requirement here is to ensure that you avoid errors for end users when an API call fails due to an expired access token. This is best handled via the following actions:

  • If an API call fails with a 401 status code
  • Then try to get a new access token, generally via userManager.signInSilent()
  • Then retry the API call with the new access token

Therefore the way you call APIs should have a helper class with some retry logic, as in my example here.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Thanks Gary for the quick response. And expires_at of silent renew token which is set on based on idsrv config resfresh token lifetime correct? – Muruga ananth Aug 26 '20 at 09:34
  • That field only receives the access token lifetime and not the overall session time. One option might be to read the user.profile.exp claim, which is the expiry time of the id token, and see if that gives you the value you need. – Gary Archer Aug 26 '20 at 11:53
  • No Gary, as per our requirement, we were able to get access token expiration time but once silent token getting generated how to get expiration time of silently generated token like refresh token... – Muruga ananth Aug 26 '20 at 18:58
  • That's right - there is absolutely nothing in OAuth standards that ever gives a client the refresh token expiry time. So what you are trying to do is not supported by the technology. If you can explain why you need that value I can maybe suggest an alternative that meets the same goals. – Gary Archer Aug 26 '20 at 19:07
  • Yes Gary. Our requirement is how to get to time out of silently generated token if there is no user action longer time/days? – Muruga ananth Aug 27 '20 at 09:57
  • Initially post one hour we are generating silent token based on access token expires_in. The same how can show time out messages based on silet token validity which is to be validate. – Muruga ananth Aug 27 '20 at 10:01
  • Sounds like your requirement is to handle expiry reliably so that you avoid errors for end users, eg if they leave their browser running overnight. The standard way to do this is to allow expiry errors to occur and then deal with them in the client. Note that there are multiple reasons why tokens can fail in addition to expiry, eg revocation, token signing certificate renewal. Try running my [Online SPA](https://authguidance.com/home/code-samples-quickstart/) and use the expiry buttons - and let me know if that behaviour works for you. – Gary Archer Aug 27 '20 at 11:46
0

To get notified after silent refresh, add an event handler for userLoaded: UserManager.events.addUserLoaded. This will pass the new User with a new expire time

Nelis
  • 54
  • 4