Refresh Token

[HP-hariprasad]

I hope this message finds you well. I am writing to seek clarification on the token refresh mechanism in your authentication system and the configurations required for its proper functioning.

1. How does the token refresh work?
I would like to understand the underlying process of token refresh. Specifically, does the token refresh happen automatically, or do I need to trigger it manually through a specific API endpoint or function? Could you provide an overview of the workflow involved in token refresh?

2. Configuration for Token Refresh:
Are there any specific URLs or configurations that need to be set up during the authentication creation to enable token refresh? If so, could you please provide guidance on what parameters or settings are required to ensure a smooth token refresh process? Any insights on best practices or recommendations for these configurations would be greatly appreciated.

3. Parameters Involved:
It would be helpful to know what parameters are involved in the token refresh process. Are there any specific parameters that I need to include when initiating a token refresh request, or are these parameters managed automatically by the system? Understanding the key parameters involved will assist me in implementing token refresh correctly.

I appreciate your time and assistance in providing insights into the token refresh mechanism and its associated configurations.

[ayZagen]

Hello,

1. As this is a OIDC library, it strictly follows OIDC specification. If autoSilentRenew is enabled, before the access token expires, which the expiration returns from auth response as expires_in parameter, the library will make an authorization request in an iframe invisible to the user by using prompt=none parameter. You can search the web regarding prompt=none, i am pretty sure you will find a lot of resources.
   However, if useRefreshTokens is enabled, (assuming your provider supports issuing refresh tokens) and you have included offline_access in your scopes, the library will use refresh tokens instead of prompt=none. In the initial login, your provider returns a refresh_token along with access token and the library will make a request to your provider's token endpoint with received refresh token resulting with return of a new access token. You can also find a lot of resources about that.

2. If your provider is OIDC conformant, setting the issuer will be enough. The library will fetch your provider's OIDC endpoints automatically from the standard /.well-known/openid-configuration endpoint. If not, you can also define those endpoints with endpoints option (properties of the endpoints option).
   If your application lives in the same domain with your provider, than using refresh tokens is not necessary, otherwise you have to use refresh tokens because browsers are blocking third-party cookies and prompt=none silent renew method won't work as the specification relies on cookies.

3. with prompt=none method there is not a specific parameter to be set. But, the other method, for using refresh tokens, set your response_type to code, enable the option useRefreshToken and include offline_access in your scope. These are the minimum requirements.
   Again, depending on your provider you may need additional parameters. If so, set them accordingly and everything should work. For a flawless refreshing token you need to also set authStore different from in memory option. For example:

import { LocalStorageStateStore, OIDCClient } from '@plusauth/oidc-client-js'
  
const myOidcClient = new OIDCClient({
  // other options...
  authStore: new LocalStorageStateStore('myapp.'),
})

Note that, using local storage is not advised, but if your provider supports rotating refresh tokens it would be more secure.

[HP-hariprasad]

Hello,

I hope this message finds you well. I've been working with your OIDC library, and I have a few questions and concerns that I'd like to discuss. Firstly, I want to express my gratitude for the detailed documentation you've provided, which has been quite helpful in understanding the library's behavior. Here are my follow-up questions:

1. Issue with idToken nonce Property: After enabling the useRefreshToken option and allowing the library to trigger auto-refresh when the access token is about to expire, I noticed that the response from the server after the refresh doesn't include the nonce property in the idToken. However, I see the nonce in the ID token when I authenticate freshly by providing the username and password and also i configured the MFA for the authentication. Should I enable any specific parameter or pass additional information to ensure that the nonce property is included in the idToken received after refresh? Please refer to the attached snapshots of Figure 4 and Figure 5 for more details.

2. Missing Refresh Token: When I comment out the code that throws an exception for an invalid idToken as in the Figure 2, the execution proceeds without any issues. However, I noticed that I do not receive a refresh token in the response. Could you please review the attached snapshots of the Figure 1 and let me know what might be causing this issue?

3. As per your suggestion, If I Include the offine_access in the scope, I get error of "invalid scope"

4. Even if I add the nonce specifically, While initializing the auth, Response from the server as its own nonce

5. Auth object is getting empty and loosing its attribute values and the functions methods if refresh the webpage. throws the error as function does not exists

Environment I am using are:

Vue3 with vite
AWS Cognito for the authentication

Note: I am facing the above issues only during the implementation of refreshToken

I'd greatly appreciate your insights and assistance in resolving these matters. Thank you for your support.

Figure 1:

Figure 2

Figure 3

Figure 4 Id Token response after the refresh

Figure 5 Id Token response when authenticated freshly from using username and password