oidc-client-ts icon indicating copy to clipboard operation
oidc-client-ts copied to clipboard

Published 20 hours ago verified publisher icon authts

Add global requestTimeoutInSeconds setting to OidcClientSettings

Open dbfr3qs opened this issue 11 months ago • 10 comments

Closes #1414

This adds a requestTimeoutInSeconds setting. When this is defined, it applies a retry timeout to all fetch requests made to the authorization server (e.g. /token, /userinfo, /.well-known/openid-configuration) except for requests made with silentRequestTimeoutInSeconds (if it is defined).

So the logic goes

  1. requestTimeoutInSeconds is set -> all requests have the same timeout
  2. silentRequestTimeoutInSeconds is set -> only silent request have a specific timeout
  3. both are set -> all requests have the same timeout except silent requests are set to silentRequestTimeoutInSeconds

Checklist

  • [ ] This PR makes changes to the public API
  • [x] I have included links for closing relevant issue numbers

dbfr3qs avatar Mar 06 '24 23:03 dbfr3qs

@Badisi Can you have a look at this?

pamapa avatar Mar 08 '24 08:03 pamapa

Codecov Report

Attention: Patch coverage is 87.50000% with 1 lines in your changes are missing coverage. Please review.

Project coverage is 80.49%. Comparing base (f0ad76e) to head (e4fe7c6). Report is 11 commits behind head on main.

:exclamation: Current head e4fe7c6 differs from pull request most recent head 2e19329. Consider uploading reports for the commit 2e19329 to get more accurate results

Files Patch % Lines
src/UserManager.ts 0.00% 0 Missing and 1 partial :warning:
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1430      +/-   ##
==========================================
- Coverage   80.53%   80.49%   -0.04%     
==========================================
  Files          45       45              
  Lines        1731     1733       +2     
  Branches      344      345       +1     
==========================================
+ Hits         1394     1395       +1     
  Misses        299      299              
- Partials       38       39       +1
Flag Coverage Δ
unittests 80.49% <87.50%> (-0.04%) :arrow_down:

Flags with carried forward coverage won't be shown. Click here to find out more.

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Mar 08 '24 08:03 codecov[bot]

@dbfr3qs, thanks for the PR !

Note that when this is configured, it overrides the silentRequestTimeoutInSeconds used when retrieving refresh tokens

I would go with the opposite: silentRequestTimeoutInSeconds should override requestTimeoutInSeconds if it is also set. Otherwise I wouldn't be able to define a global timeout + a different one for silent request.

Either:

  1. requestTimeoutInSeconds is set -> all requests have the same timeout
  2. silentRequestTimeoutInSeconds is set -> only silent request have a specific timeout
  3. both are set -> all requests have the same timeout except silent request that have a different one

Badisi avatar Mar 08 '24 10:03 Badisi

@Badisi Can you have a look at this?

I'm abroad right now, will be able to look into this in 2 weeks

Badisi avatar Mar 08 '24 11:03 Badisi

@pamapa @Badisi Thankyou both for your excellent feedback. I've made the suggested changes to try and satisfy the rules described above, such that the silentRequestTimeoutInSeconds setting is not overridden by requestTimeoutInSeconds unless it is not defined:

Either:

  1. requestTimeoutInSeconds is set -> all requests have the same timeout
  2. silentRequestTimeoutInSeconds is set -> only silent request have a specific timeout
  3. both are set -> all requests have the same timeout except silent request that have a different one

However, there's a default setting for the silentRequestTimeoutInSeconds setting so the logic will likely not work unless silentRequestTimeoutInSeconds is intentionally set to undefined. Thoughts?

dbfr3qs avatar Mar 10 '24 03:03 dbfr3qs

I would go with the opposite: silentRequestTimeoutInSeconds should override requestTimeoutInSeconds if it is also set. Otherwise I wouldn't be able to define a global timeout + a different one for silent request.

Makes sense! We can handle this also within UserManagerSettingsStore...

pamapa avatar Mar 13 '24 15:03 pamapa

@pamapa @Badisi Thankyou both for your excellent feedback. I've made the suggested changes to try and satisfy the rules described above, such that the silentRequestTimeoutInSeconds setting is not overridden by requestTimeoutInSeconds unless it is not defined:

Either:

  1. requestTimeoutInSeconds is set -> all requests have the same timeout
  2. silentRequestTimeoutInSeconds is set -> only silent request have a specific timeout
  3. both are set -> all requests have the same timeout except silent request that have a different one

However, there's a default setting for the silentRequestTimeoutInSeconds setting so the logic will likely not work unless silentRequestTimeoutInSeconds is intentionally set to undefined. Thoughts?

Any thoughts on this @Badisi @pamapa ?

dbfr3qs avatar Apr 08 '24 21:04 dbfr3qs

However, there's a default setting for the silentRequestTimeoutInSeconds setting so the logic will likely not work unless silentRequestTimeoutInSeconds is intentionally set to undefined. Thoughts?

True, silentRequestTimeoutInSeconds is set by default to 10s. In order to not break the existing behavior we can not leave it undefined.

Probably something like this within UserManagerSettingsStore should work:

 this.requestTimeoutInSeconds = requestTimeoutInSeconds;
 this.silentRequestTimeoutInSeconds = silentRequestTimeoutInSeconds ? silentRequestTimeoutInSeconds
   : requestTimeoutInSeconds ? requestTimeoutInSeconds
   : DefaultSilentRequestTimeoutInSeconds;

pamapa avatar Apr 09 '24 07:04 pamapa

Let me know if this does the trick @pamapa @Badisi 🙏

dbfr3qs avatar May 01 '24 07:05 dbfr3qs

Looks good to me. @Badisi What do you think?

pamapa avatar May 06 '24 13:05 pamapa

Thanks for contributing and being patient!

pamapa avatar Jun 21 '24 09:06 pamapa