Implicit Flow Checks Non-Existing Refresh Token

[jdmaguire]

Hello, I'm integrating keycloak-angular into an existing Angular 5 app and am experiencing an issue when using the implicit flow. (I'm new to keycloak and this library so it's entirely possible I've not configured something properly or misunderstood use cases.)

From a behaviour prospective, after initializing the keycloak.service, I am forwarded to the Keycloak login page and after login, successfully land back in my app. The app loads up, initializes the keycloak.service again; however, soon I find that the browser tries to navigate back to keycloak, keycloak redirects to my app, app to keycloak, keycloak back to app, and so forth.

Debugging my code, I see both isLoggedIn() and getToken() call updateToken which calls keycloak-js's updateToken which returns an error'd promise since there are no refresh tokens in an implicit flow.

I'm extending from keycloak-auth-guard.service and using the interceptor. The former calls isLoggedIn() directly in canActivate(...) and the latter calls addTokenToHeader() that then calls getToken().

I'm wondering what I'm doing wrong in the init or general usage that is causing this unexpected behaviour? Any help would be appreciated, thanks :)

Config

Using keycloak-angular 1.4.0 whose using keycloak-js 3.4.3. Example config used for init.

{
    "initOptions": {
        "responseMode": "fragment",
        "flow": "implicit",
        "onLoad": "check-sso"
    },
    "config": {
        "realm": "aRealm",
        "url": "https://example.com",
        "clientId": "clientId"
    }
}

[mauriciovigolo]

@jdmaguire, I was able to reproduce your issue and you are right, when using the implicit flow the behavior should be different, otherwise it will face an endless redirect loop.

Thanks for opening this issue!

[mauriciovigolo]

Versions 1.4.1, 2.0.2, 3.0.2 and 4.0.0 includes the fix for this bug. Thanks @jdmaguire!

[jdmaguire]

Thanks for the fix. Works like a charm Mauricio.