ManagementPortal icon indicating copy to clipboard operation
ManagementPortal copied to clipboard
verified publisher icon RADAR-base

Frontend does not refresh token after expiration

Open dennyverbeeck opened this issue 8 years ago • 6 comments

Currently, after the JWT expires the user needs to login again, even if he is still working in the app. The frontend should refresh the JWT after it expires if the user is still working in the app.

dennyverbeeck avatar Oct 26 '17 14:10 dennyverbeeck

Apparently, this is on purpose for security purposes. If necessary we can implement this. But the jhipster suggests to login again.

nivemaham avatar Oct 27 '17 04:10 nivemaham

Hmm, IMO it's odd behavior to have to log in again in an application where i'm still active. I would understand the logout after a period of inactivity. But currently the logout is even if the user is active. If this is the desired behavior then fine with me of course, but i suspect users would get annoyed pretty quickly. Let's follow up in one of the calls to see what others think.

dennyverbeeck avatar Oct 30 '17 14:10 dennyverbeeck

I think it would unusual to be logged out while active (I don't think I've come across this behaviour in other systems) and could result in data loss. Perhaps an alternative is the timeout could trigger a dialog that requires the user to confirm they wish to remain logged in?

afolarin avatar Oct 31 '17 09:10 afolarin

Sounds good @afolarin, i'll get on it

dennyverbeeck avatar Oct 31 '17 15:10 dennyverbeeck

Hi guys, i did a background check on this again and these are the known concerns that are discussed. Should we refresh token session storage or localstorage to store token and an approach took by jhipster to solve it by using server-side sessions. Our current approach will need a lot of change if we want to do the same.

For the time being, My proposal is to use the Remember me (currently no implementation behind it) button when siging-in. If the user choose to use remember-me we store the token in sessionStorage and refresh the token when it expires for now. What do you think? @dennyverbeeck , @blootsvoets

nivemaham avatar Nov 06 '17 11:11 nivemaham

The Remember me button is supposed to be used to remember the user between sessions (docs). I think the token should be refreshed when the user is active, regardless of the remember me function. Probably the simplest approach would be to implement something like this in the auth-oauth2.service.ts getToken() function:

  1. If access token is not expired, return it
  2. Otherwise, if refresh token is not expired, use it to get new access token, return to 1.
  3. If refresh token is expired as well, prompt for new login.

What we can then do is to have the refresh token be valid for e.g. two hours. Then, if a user is inactive for more than two hours, their refresh token is not valid anymore and as a result they are logged out. Later, we can also implement a dialog like @afolarin is suggesting. When we receive the refresh token we can read the validity and set a timer appropriate for the validity of the token (e.g. validity minus 5 minutes).

Nice research on the token storage by the way! Interesting articles, it seems we are storing the JWT in web storage. I'll open another issue to investigate that since it's independent from refreshing the token.

dennyverbeeck avatar Nov 08 '17 08:11 dennyverbeeck