Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silent renew dies if startRenew fails #617

Closed
CobusKruger opened this issue Mar 27, 2020 · 1 comment
Closed

Silent renew dies if startRenew fails #617

CobusKruger opened this issue Mar 27, 2020 · 1 comment
Labels
bug investigate question

Comments

@CobusKruger
Copy link

I have a IDS4 server and use silent renew. Generally, the output in the log looks a bit like this:

oidc.logger.service.ts:20 silentRenewHeartBeatCheck
	silentRenewRunning: false
	idToken: true
	_userData.value: true
oidc.logger.service.ts:20 Token not expired?: 1585317895000 > 1585317894852  (true)
oidc.logger.service.ts:20 silentRenewHeartBeatCheck
	silentRenewRunning: false
	idToken: true
	_userData.value: true
oidc.logger.service.ts:20 Token not expired?: 1585317895000 > 1585317897855  (false)
oidc.logger.service.ts:20 IsAuthorized: id_token isTokenExpired, start silent renew if active
oidc.logger.service.ts:20 BEGIN refresh session Authorize
oidc.logger.service.ts:20 RefreshSession created. adding myautostate: <<STATE>>
oidc.logger.service.ts:20 startRenew for URL:https://localhost:44365/connect/authorize?client_id=MyClientID&redirect_uri=https%3A%2F%2Flocalhost%3A4200%2Fassets%2Fsilent-renew.html&response_type=code&scope=openid%20profile%20Some.Service&nonce=N0.<<NONCE>>&state=<<STATE>>&code_challenge=<<CHALLENGE>>&code_challenge_method=S256&prompt=none
oidc.logger.service.ts:20 silentRenewEventHandler
oidc.logger.service.ts:20 BEGIN authorized Code Flow Callback, no auth data
oidc.logger.service.ts:20 history clean up inactive
oidc.logger.service.ts:20 {id_token: "<<IDTOKEN>>", access_token: "<<ACCESSTOKEN>>", expires_in: 30, token_type: "Bearer", scope: "openid profile Some.Service", …}
oidc.logger.service.ts:20 authorizedCallback created, begin token validation
oidc.logger.service.ts:20 jwks_uri: https://localhost:44365/.well-known/openid-configuration/jwks
oidc.logger.service.ts:20 validate_id_token_iat_max_offset: 877 < 10000
oidc.logger.service.ts:20 Token not expired?: 1585317928000 > 1585317898878  (true)
oidc.logger.service.ts:20 at_hash from the server:<<HASH>>
oidc.logger.service.ts:20 at_hash client validation not decoded:<<HASH>>
oidc.logger.service.ts:20 AuthorizedCallback token(s) validated, continue
oidc.logger.service.ts:20 <<TOKEN>>
oidc.logger.service.ts:20 <<TOKEN>>
oidc.logger.service.ts:20 storing to storage, getting the roles
oidc.logger.service.ts:20 getIsAuthorized: true
oidc.logger.service.ts:20 silentRenewHeartBeatCheck
	silentRenewRunning: false
	idToken: true
	_userData.value: true
oidc.logger.service.ts:20 Token not expired?: 1585317928000 > 1585317901520  (true)

And then it continues with the heartbeat check and soon we'll have the same sequence.

The problem comes in when the server is uncontactable. I fake it by stopping and restarting the server when I expect the token to expire, but the same can happen just because of network instability.

Then it looks like this:

silentRenewHeartBeatCheck
	silentRenewRunning: false
	idToken: true
	_userData.value: true
oidc.logger.service.ts:20 Token not expired?: 1585317928000 > 1585317925535  (true)
oidc.logger.service.ts:20 silentRenewHeartBeatCheck
	silentRenewRunning: false
	idToken: true
	_userData.value: true
oidc.logger.service.ts:20 Token not expired?: 1585317928000 > 1585317928537  (false)
oidc.logger.service.ts:20 IsAuthorized: id_token isTokenExpired, start silent renew if active
oidc.logger.service.ts:20 BEGIN refresh session Authorize
oidc.logger.service.ts:20 RefreshSession created. adding myautostate: <<STATE>>
oidc.logger.service.ts:20 startRenew for URL:https://localhost:44365/connect/authorize?client_id=MyClientID&redirect_uri=https%3A%2F%2Flocalhost%3A4200%2Fassets%2Fsilent-renew.html&response_type=code&scope=openid%20profile%20Some.Service&nonce=<<NONCE>>&state=<<STATE>>&code_challenge=<<CODE>>&code_challenge_method=S256&prompt=none

And from here, this bits repeats endlessly:

oidc.logger.service.ts:20 silentRenewHeartBeatCheck
	silentRenewRunning: true
	idToken: true
	_userData.value: true

So it all seems to work until it tries to hit the URL. Since the URL is unavailable, it never receives tokens and remains in a waiting state. Even when the server comes back online, the silent renew is never triggered again.

I have two questions about this:

  1. Is the server is unreachable long enough for the request to time out, shouldn't it retry the request in case the server becomes available again?
  2. If the server is unavailable long enough for the refresh token to expire, shouldn't there then be some error or event raised?

And a related bonus question:
What is the recommended way to detect authentication errors during silent renew?
@damienbod damienbod mentioned this issue Apr 25, 2020
Closed
@damienbod
Copy link
Owner

damienbod commented Apr 26, 2020
edited
Loading

@CobusKruger Thanks for reporting

fixed in version 11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug investigate question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@damienbod @CobusKruger