Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue token refresh before token expiry #92

Closed
alicehelen opened this issue Feb 9, 2018 · 9 comments
Closed

Issue token refresh before token expiry #92

alicehelen opened this issue Feb 9, 2018 · 9 comments
Assignees
@jmelberg-okta
Labels
question

Comments

@alicehelen
Copy link

Please advice is there an option to continuously check if the token is going to get expired and before the token expires (like only 25% of the expiry time is still left) have to request for refresh token
@lboyette-okta
Copy link
Contributor

When a token is added to the tokenManager, renewing the tokens is handled for you automatically: https://github.com/okta/okta-auth-js#tokenmanageraddkey-token.

@alicehelen
Copy link
Author

Thank you. I also have another question about validating received ID tokens like verifying the signature and claims in the ID token.
I was able to decode the ID token from tokenManager using decodeToken function, Can you advice if there is any library to validate the signature

@alicehelen
Copy link
Author

As mentioned in the doc, I am using method token.verify to validate the token. This method validates the token claims and signature. I will use the decode method and perform additional validation like verifying the issuer, issued time in addition to token.verify method.
Can you verify if this would be a proper solution. Thanks!

@lboyette-okta
Copy link
Contributor

The tokenManager also handles verification for you, so if you get a token from the tokenManager, it's a verified token.

@cmckni3
Copy link

cmckni3 commented Mar 12, 2018

I am having issues where the token I get back from tokenManager was valid but has either expired or was revoked.

Should this be the case?

@kevlened
Copy link
Contributor

@cmckni3

Currently, if you attempt to get a token immediately on page load, it's possible to get a token that has expired.

The tokenManager is unaware of revoked tokens, but the userinfo endpoint (token.getUserInfo) and your api should reject revoked access tokens when you try to use them. Note that your api must be configured to hit the introspection endpoint to support token revocation.

@cmckni3
Copy link

cmckni3 commented Mar 21, 2018

Ok, I was under the impression that verifying the token would handle that and that tokenManager had verified the tokens before returning them.

@kevlened
Copy link
Contributor

kevlened commented Mar 21, 2018
edited

It does handle expiration validation (not revocation). The page load issue is due to a race condition. The tokenManager will identify an expired token and start a refresh on page load, but the synchronous tokenManager.get('token') call will return the expired token before the refresh is finished.

@jmelberg-okta jmelberg-okta mentioned this issue Apr 20, 2018
Closed
@robertjd robertjd mentioned this issue May 4, 2018
Closed
@jennasalau jennasalau mentioned this issue May 30, 2018
Closed
@robertjd robertjd mentioned this issue Jun 6, 2018
Closed
@jmelberg-okta jmelberg-okta self-assigned this Jun 18, 2018
@jmelberg-okta
Copy link
Contributor

Hi @alicehelen,

We're going to close this with respect to #125. We're working on getting a fix in soon to resolve this issue.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jmelberg-okta jmelberg-okta

Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@cmckni3 @kevlened @lboyette-okta @alicehelen @jmelberg-okta