fix: TokenManager.renew(key) should renew only requested token #656
Conversation
denysoblohin-okta
force-pushed
the
fix-renew-by-key-OKTA-352791
branch
from
d875717
to
b8a788d
Compare
denysoblohin-okta
changed the title
lib/TokenManager.ts
Outdated
| }) | ||
| .then(function(freshTokens) { | ||
| // store and emit events for freshTokens | ||
| tokenMgmtRef.renewPromise[key] = sdk.token.renew(token) |
There was a problem hiding this comment.
sdk.token.renew (oidc/renewToken) only handles renew in the hidden iframe way. This change should still keep the renew with refresh approach.
Codecov Report
@@ Coverage Diff @@
## master #656 +/- ##
==========================================
+ Coverage 92.72% 92.88% +0.15%
==========================================
Files 67 67
Lines 2447 2599 +152
Branches 517 559 +42
==========================================
+ Hits 2269 2414 +145
- Misses 178 185 +7
Continue to review full report at Codecov.
|
lib/oidc/renewToken.ts
Outdated
| issuer | ||
| }) | ||
|
|
||
| // If we have a refresh token, renew using that, otherwise getWithoutPrompt |
There was a problem hiding this comment.
I think it would make sense to add a helper renew function in TokenManager to make the flows check (it's actually looks like a manager function).
Also, as we expose the renew functions from the top-level (browser.ts), behavior change in the lower-level functions looks like a breaking change to me (changes the public API authClient.token.renew, which should use getWithoutPrompt only).
There was a problem hiding this comment.
Moved renew token with refresh token flow to TokenManager
denysoblohin-okta
force-pushed
the
fix-renew-by-key-OKTA-352791
branch
from
a8c7da5
to
e5a8d01
Compare
|
@shuowu What do you think on the latest change? |
| @@ -50,6 +50,7 @@ import { | |||
| revokeToken, | |||
| renewToken, | |||
| renewTokens, | |||
| renewTokensWithRefresh, | |||
There was a problem hiding this comment.
Looks like this method does not exist anymore, remove?
| @@ -213,6 +214,7 @@ class OktaAuthBrowser extends OktaAuthBase implements OktaAuth, SignoutAPI { | |||
| decode: decodeToken, | |||
| revoke: revokeToken.bind(null, this), | |||
| renew: renewToken.bind(null, this), | |||
| renewTokensWithRefresh: renewTokensWithRefresh.bind(null, this), | |||
| @@ -16,6 +16,7 @@ export * from './util'; | |||
| export { decodeToken } from './decodeToken'; | |||
| export { revokeToken } from './revokeToken'; | |||
| export { renewToken } from './renewToken'; | |||
| export { renewTokensWithRefresh } from './renewTokensWithRefresh'; | |||
| @@ -148,6 +148,7 @@ export interface TokenAPI extends BaseTokenAPI { | |||
| revoke(token: RevocableToken): Promise<object>; | |||
| renew(token: Token): Promise<Token>; | |||
| renewTokens(): Promise<Tokens>; | |||
| renewTokensWithRefresh(refreshTokenObject: RefreshToken): Promise<Tokens>; | |||
|
We don't need to add |
This reverts commit 20a8e11.
denysoblohin-okta
force-pushed
the
fix-renew-by-key-OKTA-352791
branch
from
5e6f48d
to
e88635e
Compare
CHANGELOG.md
Outdated
| @@ -1,5 +1,11 @@ | |||
| # Changelog | |||
|
|
|||
| ## 4.8.1 | |||
There was a problem hiding this comment.
Let's make the change as 4.9.0 (minor), since it adds new top level API.
Current implementation of
TokenManager.renewrefreshes access token and id token together if user not specifiedresponseTypeinOktaAuthconfig (as in #559 -responseTypewas used only ingetWithoutPromptand not in OktaAuth contructor).okta-auth-js/lib/oidc/renewTokens.ts
Line 41 in 5e9af2f
If user uses multiple access tokens with multiple keys (as in issue #559),
TokenManager.renewwill always use key of first access token in token storage to update any access token with new value:okta-auth-js/lib/TokenManager.ts
Line 338 in 5e9af2f
okta-auth-js/lib/TokenManager.ts
Line 187 in 5e9af2f
This will lead to a problem when expired access token will stay in storage. And on
resetExpireEventTimeoutAlltimer to update will fire againokta-auth-js/lib/TokenManager.ts
Line 139 in 5e9af2f
Internal ref: OKTA-352791
Issue: #559