oidc-client
oidc-client copied to clipboard
AxaFrance
Website requesting openid-configuration repeatedly when not logged in. Calling /connect/authorize repeatedly when logged in, instead of restoring immediately from storage.
Issue and Steps to Reproduce
Hello Axa Team!
Thank you for all the amazing work you've put into this package. It is very helpful to our development!
I have recently started migration from v3 of the package to v5, and noticed some differences between the two libraries.
Most importantly, I noticed that upon reload of the page, the Provider makes a call to openid-configuration, while in v3 it was not doing that, until you would call the login function.
Additionally, when user is logged in and I see his session state stored, when the page is refreshed, there is a small flash of the loading screen that pops up that attempts to call /connect/authorize endpoint. On the contrary, in v3, your session was restored right from the sessionStorage.
I was looking for a way to disable that feature, as those flickering loading screens are a little bit bothersome.
Is there a way to restore session from the Storage, and not check for IdentityServer configuration on refresh on load?
Thank you for your time!
Versions
v5.14.0
Screenshots
When logged out and refreshing the page...
When logged in and refreshing the page...
Expected
- Discovery endpoint is never called for logged out user.
- When refreshing page with logged in user, use the sessionStorage values.
Actual
- The provider doesn't call discovery document endpoint when refreshing page of logged out user.
- The provider attempts to re-authorize the user when logged in and refreshing the page.
Additional Details
The same behavior is observed in the example app. https://black-rock-0dc6b0d03.1.azurestaticapps.net/profile
- Installed packages:
Hi @tielushko, thank you very much for your issue and its quality. It is a really good idea. It can be added to the local storage with a timestamp to keep cache fresh only during a span of life.
@guillaume-chervet, thank you for such a quick response on my issue!
For now, I can try setting that timeout to 0 in order to load my website quicker for the users that can view it without the need to authenticate.
As far as your second point, I tried using localStorage in the storage property in config, but it appears that the behavior stays exactly the same, and it is resending the AuthorizationRequest on every load/refresh of the website.
As another suggestion, why when fetching initial configuration from Identity server, should the app be blocked from the user? Same when sending the silent-signin on refresh. I would think it shouldn't block application if user is logged out and it's making a discovery request for configuration.
For the resending refresh after each refresh, i am on it. I fix it in #817 still ugly pullrequest.
Thank you again for the feedback, i am totaly agree with the fact that the library should not block interaction on logged out user for loading technical data. It will be a Nice enhancement!
Hi @tielushko ,
I have taken a part of your suggestion in the last alpha version :
https://black-rock-0dc6b0d03-817.westeurope.1.azurestaticapps.net/
Published under version 6.0.0-alpha0. The breaking change is that it require a new silent_signin_uri property and the silent_redirect_uri need to be declared to OIDC server.
Thank you @guillaume-chervet! I look forward to seeing those changes! Checked out the alpha link you sent, but still seeing the loading window when refreshing the page for logged out user, just as when refreshing the page when user has already logged in and trying to verify token.
I wasn't sure if that was expected behavior still. Thank you for your support!
I made things better in v6. But is still not perfect. I may display the loader only when a child component is secured.