Question: Ambiguous token manager refresh behaviour

[jennasalau]

Hi,

Can you please confirm how your token manager refreshes tokens?

I note in the documentation it states the following.

When a token is added to the tokenManager, it is automatically refreshed when it expires.

Does this mean you allow it to expire before refreshing? Is there a small gap where a user is using our app with an expired token? Or are we supposed have a timer and manually refresh them before expiry?

Also, does refreshing a token also refresh a users session? I'm a little confused when a session expires because to my understanding we need it in order to refresh tokens.

Thanks,
Jenna

[jennasalau]

Hello?

[jennasalau]

Okay, I've done some digging into their code.

It seems they set a timeout that is dead on the expire time then calls an async network request to refresh the token.

There are problems that i can see with this:

• The token expires before a refresh is even attempted. ie This manager cannot guarantee it always has a valid token with auto refresh turned on
• If the network request to refresh the token fails for any reason they just either delete the token and trigger an expire event or throw an error.

Ideally the token manager would try to refresh a couple of minutes BEFORE expiry and make refresh retry attempts if the first one fails. See related issue. Based on this we might just ditch their token manager and role our own. Im reluctant to put in a PR since they are MIA on here.

I still have one unknown and that is whats the deal with the session refresh. Its not clear if we need to be doing session refreshes alongside token refreshes?

[robertjd]

Hi @jennasalau , sorry for not answering your question sooner. We do plan to fix this soon, please see this issue I've created to track the work and review our proposed solution:

#125

[jmelberg-okta]

Hi @jennasalau,

We're looking into getting this fixed ASAP. Please follow along with #125 for updates.

Closing this issue as a duplicate.