-
Notifications
You must be signed in to change notification settings - Fork 354
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to do token renewal #44
Comments
@philippendrulat There's no need to do token renewal. We do it automatically for you. Every time you call |
Hey @luisrudge , I'm building a SPA and the session that I set in the Auth0 configuration page is 5 mins. So in 5 mins after successful login, auth0-spa-js will automatically refresh token every time I call |
As I understood, you are not able to use token refresh in a SPA. You are only able to renew the token until the session expires. |
@jackmercy the Auth0 session has nothing to do with your token. Your token can expire before the session (that's pretty common). If you have an active session at Auth0, when you call |
@philippendrulat correct. we're not using refresh tokens. We're just asking for fresh tokens from the server. |
That's precisely what we do. Once we put a token in the cache, we schedule its removal once it expires: https://github.com/auth0/auth0-spa-js/blob/master/src/cache.ts#L35-L41 So, next time you ask for a token, if it's not in the cache, it will just fetch remotely (if you have an active session) |
Just to be clear here, when your referring to the session expiring, are you meaning the access token? |
Hello, I'm also interested in a little more guidance on this. I have implemented a recursive async function to scheduleRenewal like this: const scheduleRenewal = async (token, delay) => {
let jwt = parseJwt(token)
let expiresAt = jwt.exp * 1000
if (!delay) {
delay = expiresAt - Date.now()
delay -= 60000
}
await new Promise(f => setTimeout(f, delay))
try {
const newToken = await auth0.getTokenSilently()
window.localStorage.setItem('access_token', newToken)
// schedule the next renewal
scheduleRenewal(newToken)
} catch (e) {
console.log('error renewing token silently')
console.log(e)
// retry
scheduleRenewal(token, 3000)
}
} Is this the best practice? Should we build in a delay like I have done or wait until exactly when the JWT expires? It seems like we would want to renew the token a little bit earlier than the actual expiration. |
@freeman-g Yes there are a few things going on here that we deal with on your behalf:
Also, you are decoding and inspecting the JWT access token on the client, which it has no business doing (only the resource server consuming the access token should do that). The main reason is that there is effectively a contract between the resource server (to which the access token is issued) and the IdP - that contract could change without the client's knowledge, which may break the application. Just something to be aware of. It's not best practise, to answer your question. Considering those things, given that we manage a small leeway for you, you should be able to get away with not parsing that JWT, removing the leeway logic and potentially stop storing the token. Does that help? |
Yes, this is very helpful. If I don't parse the JWT on the client, how do I determine the expiration time ( Thank you |
@freeman-g what's the use case for scheduling that renewal? Are you trying to sync up some operation with the renewal of the access token? Otherwise, we handle the renewal of the access token for you inside the SDK, there's no need to do that manually. |
I'm just trying to make sure that I have a current token for API calls. I'm using Axios, so I'm doing this:
Then I'll use Axios like this:
Therefore, I want to schedule background renewal so that the token is current when I need it. Are you suggesting that I should just call
Thanks again |
Keep in mind that interceptors in axios can be async: https://github.com/axios/axios/blob/master/index.d.ts#L126 So you should be able to just use
You can still implement some kind of renewal elsewhere, e.g. call our SDK's
Calling |
Very cool! I will give it a try the way you described with an async interceptor and just rely on the SDK and not worry about "pre-renewing". |
On the old auth0-js tutorial, you could renew the token until the user session expires. How would one implement it in the auth0-spa-js?
The text was updated successfully, but these errors were encountered: