I have an SSO server using Duende Identity Server 6.2 and an ASP API backend. Works great.
My angular client works well too. I can login and talk to my API. My problem is after about 30minutes, my token apparently expires and my HTTP calls fail (as expected). Now, for testing, I added a button that does this:
this.oidcSecurityService.forceRefreshSession().subscribe()
It goes and successfully gets a new token with no interaction, but it then takes me away from my current page, which is obviously disruptive. I've also tried this.oidcSecurityService.authorize(); which takes me to SSO, sees my SSO token is valid then takes me back to my redirect page on my angular site and my calls work again. Disruptive as well.
My OIDC config is as follows:
{
authority: 'https://localhost:5001',
redirectUrl: 'http://localhost:4200/dashboard',
silentRenewUrl: 'http://localhost:4200/silentRenew.html',
postLogoutRedirectUri: window.location.origin,
clientId: '###',
scope: 'openid profile email offline_access',
responseType: 'code',
silentRenew: true,
useRefreshToken: true,
ignoreNonceAfterRefresh: true,
triggerRefreshWhenIdTokenExpired: true,
renewTimeBeforeTokenExpiresInSeconds: 30,
secureRoutes: [environment.apiUrl],
postLoginRoute: '/dashboard',
}
So first question, should OIDC not be just getting new tokens by itself? I see no network activity happening unless explicitly triggered by me.
If the answer to the above is no, I can just write an interceptor that detects 401, but how do I get a new token without redirecting the user and losing all my state? For example, I've read you can save your current location and return back there, but I'll still lose my state (form values, etc) so that's not really an option for me.
I can post any other code if it's helpful. Thanks!
