oidc-client-ts icon indicating copy to clipboard operation
oidc-client-ts copied to clipboard

Published 20 hours ago verified publisher icon authts

refresh_token_expires_in missing

Open 0rsa opened this issue 1 year ago • 6 comments

Good afternoon, Calling the IdP /token (grant_type: authorization_code), I receive this attribute in the response:

refresh_token_expires_in: 3600

I cannot find this attribute in the repo source code and this attribute is lost in the oidc:user session storage.

Is there a reason for this attribute to be ignored by the library?

Thank you

0rsa avatar Jan 30 '24 14:01 0rsa

This library supports OAuth2.0/OIDC standard, which defines expires_in for access tokens. See https://openid.net/specs/openid-connect-core-1_0.html#CodeNotes.

The expires_in for refresh tokens is not yet implemented...

BTW: Which IDP are you using?

pamapa avatar Jan 31 '24 08:01 pamapa

Looks like there is no refresh_token_expires_in in the OAuth2 standard defined...

pamapa avatar Jan 31 '24 08:01 pamapa

I guess it's a Microsoft specificity https://learn.microsoft.com/en-us/linkedin/shared/authentication/programmatic-refresh-tokens

refresh_token_expires_in — The number of seconds remaining until the refresh token expires. Refresh tokens usually have a longer lifespan than access tokens.

0rsa avatar Jan 31 '24 09:01 0rsa

It would be quiet easy, what i do not like is that is not part of the spec...

similar to expires_in in must be added in these files:

  • https://github.com/authts/oidc-client-ts/blob/a3dcd7e05f6d12713f5a1e1762f4feffab14cc60/src/SigninResponse.ts#L70-L82
  • https://github.com/authts/oidc-client-ts/blob/a3dcd7e05f6d12713f5a1e1762f4feffab14cc60/src/User.ts#L82-L93

pamapa avatar Feb 01 '24 10:02 pamapa