-
Notifications
You must be signed in to change notification settings - Fork 267
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web workers for token renew and expiry #1474
Comments
@erichey620 Are you using refresh tokens? The solution proposed in #1445 isn't necessarily suggesting to sign the user out (a user isn't technically "signed out" until the refresh token is also expired or revoked). The suggestion is to allow the access token to expire when the tab is inactive and once the user re-visits the page, the access token will be checked, found to be expired and ultimately renewed (via the refresh token). This won't require any user input/interaction Do you mind elaborating a bit more on your use case? My bosses love user stories :) |
Hey, thanks for the reply! Follow-up question on your suggestion: “once the user re-visits the page, the access token will be checked, found to be expired and ultimately renewed (via the refresh token). This won't require any user input/interaction” At the moment I dont use refresh token - when I tinkered around and requested one, it had the Maybe an interceptor for any Http calls that will check the validity of the access token (or if it got autoRemoved) and refresh if needed? - that maybe what you had in mind? overall I think it would be a nice improvement if the Sdk could use a worker to keep track of the accessToken expiration and renew it on time even with minimized tabs, to reduce any client/consumer implementations for renewing or other bad side effects. |
Also a current downside of my home-grown web worker solution is that with multiple tabs open, they’ll all fire off a request to renew the tokens.. whereas the autoRenew I think was smart enough to only have one master tab do so.. not sure how that gets tracked exactly in your Sdk code, or if that’s something accessible somehow if I wanted to mimic that behavior |
Assuming you're using refresh token, yes, this is out-of-the-box functionality. You will need to set
Do you happen to know if you token is actually expired?
Yes, you can configure
authjs should automatically renew your tokens with the following configuration
It's probably a good idea to check if a token has expired before using it |
Modern browsers will throttle timers if a window is minimized (among other conditions) - You can start to see throttling after about 5 minutes. See: https://developer.chrome.com/blog/timer-throttling-in-chrome-88/
I am getting issues reported where a user’s accessToken does not get refreshed automatically when the window is minimized. User maximizes browser and continues to work, but the token has expired and the app is stuck in a failed state. 404’s for all network calls and can’t recover.
There was a previous issue reported
, Originally posted by @jaredperreault-okta in #1445 (comment)_
But it seems the “solution” for the person reporting it was to just sign the user out due to inactivity. I don’t think that will suffice if Chome could start causing issues only after 5 minutes. Web workers likely need to be introduced to reliably track token expiration times and fire the events to ensure a seamless interaction.
The text was updated successfully, but these errors were encountered: