force refresh session, new API

[damienbod]

No description provided.

[damienbod]

fixes #729

[JohnGalt1717]

I just tried this and it doesn't appear to be reloading the Id Token even though my setup is set to auto-load the id. And getPayloadFromIdToken() isn't causing a refresh either so I don't know how I could manually reload the id token in this case. (I'd also expect that checkAuth would have fired when it changed like I'd expect a silentRenew would do too in the same case)

[damienbod]

It's an async method, just in case, add a subscribe to force the call?

I use it like this:

https://github.com/damienbod/angular-auth-oidc-client/blob/master/projects/sample-code-flow-refresh-tokens/src/app/home/home.component.ts#L26-L28

Can you compare? Also you can check in the F12. Just wondering, do you have the silent renew active?

Greetings Damien

[JohnGalt1717]

Here's how I'm calling it:

const result = await this.oidcSecurityService.forceRefreshSession().toPromise();

result = true;

No event fired for the auth change, and no update of the id_token.

Here's my config:
return () =>
oidcConfigService.withConfig({
stsServer: apiUrl,
redirectUrl: ${location.protocol}//${location.host},
postLogoutRedirectUri: LOGOUT_PATH,
postLoginRoute: DEFAULT_LOGIN_REDIRECT_PATH,
clientId: CLIENT_ID,
scope: 'openid profile email',
responseType: 'code',
silentRenew: true,
storage: localStorage,
silentRenewUrl: ${location.protocol}//${location.host}/silent-renew.html,
logLevel: environment.production ? LogLevel.Error : LogLevel.Debug,
autoUserinfo: true,
forbiddenRoute: FORBIDDEN_PATH,
autoCleanStateAfterAuthentication: true,
triggerAuthorizationResultEvent: true,
maxIdTokenIatOffsetAllowedInSeconds: 600,
unauthorizedRoute: UNAUTHORIZED_PATH,
renewTimeBeforeTokenExpiresInSeconds: 20,
});

I see the silent-renew.html
https://localhost:5002/silent-renew.html?code=

Oddly, if I hit F5, I do get the updated id_token information from getPayloadFromIdToken(), it just isn't updated after the forceRefreshSession() is called;

[damienbod]

Hi @JohnGalt1717 Your code looks good. would it be possible to supply an example?

Greetings Damien

[JohnGalt1717]

If you take the link you provided above and replace console.log with:

const userData = this.oidcSecurityService.getPayloadFromIdToken();
console.log (userData);

You'll see that any changes to the id_token won't be reflected with a call from getPayloadFromIdToken(), but if you look in localStorage and decode the id_token in xxx_authorizationDataIdToken it does have it.

Here's the general flow:

1. Update some field via api that the idp encodes in the id_token
2. Call forceRefreshSession()
3. UI updates based on new values from the idp in the id_token from call to getPayloadFromIdToken that sets fields.

Preferably it would be:

1. Update some field
2. forceRefreshSession
3. checkAuth involked automatically by this library because the auth changed because the tokens changed.
4. Respond to event like normal which would cause the right stuff to be updated which would change the UI.

So I'd say that the bug is that getIdFromToken still has a cached copy even though it was updated and stored elsewhere so it never gets the new version, and the forceRefreshSession doesn't compare the auth and id tokens it gets back and then call checkAuth if they aren't the same. (doesn't matter about the content, only that they're not identical)

[damienbod]

Thanks
I'll create a new issue with this the validate./solve Thanks for this info.

[JohnGalt1717]

Note, I think this is a timing issue caused by something that is observable/async not being awaited. If I put a breakpoint after the forceRefreshSession and wait a few seconds, and then use getIdFromToken it is updated.

[damienbod]

@JohnGalt1717 moved the issue here:

#734

I think you just need to wait for it to come back. We have a notification event.