[Bug]: Silent refresh fails using localStorage when multiple tabs trying to refresh at the same time

[Coldfen]

Version

16.0.0

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

myConfigId - silent renew failed! Error: Error: authorizedCallback, token(s) validation failed, resetting.

Steps to reproduce the behavior

1) Set up OIDC Code Flow PKCE using refresh tokens (used 'ng add angular-auth-oidc-client')

2) Set up custom storage using localStorage (used example from https://angular-auth-oidc-client.com/docs/documentation/custom-storage)

3) To speed up testing, setup your authority to have short lived access and refresh tokens. (i.e. 30 - 50 seconds) 

4) Login using one browser [chrome] tab (i.e. this.oidcSecurityService.authorize()). Open console and verify refresh is working

5) Open a few more tabs. Open console and verify they are authorized and refreshing (in my case i open 6 or more)

6) Wait until error occurs. It shouldn't take long - usually 2-20 minutes with 30 - 40 seconds tokens. Open more tabs if needed.

A clear and concise description of what you expected to happen.

Access token should refresh successfully and all tabs remain authorized

Additional context

The same problem was described in #1662

A temporary solution does not suit me well, because my token functions for 300 seconds.

My config:

AuthConfigModule added to the imports of the main AppModule.

[joewIST]

Experiencing the same issue. Any help appreciated.

[CraigGP1]

Same issue.

[Ghostbird]

We're encountering issues with this fairly often too. If there's a solution at the library level, that would be great.

[joewIST]

Not sure if you are experiencing any of the issues found here as well? https://github.com/damienbod/angular-auth-oidc-client/issues/1753

[Ghostbird]

No, not as far as I know. The trick mentioned in https://github.com/damienbod/angular-auth-oidc-client/issues/1662#issuecomment-1516305881 is something I'm going to try, where the renewTimeBeforeTokenExpiresInSeconds gets a random number. That won't fix it, but may significantly reduce the problem.

[joewIST]

Good luck. We tried that in the past but it didn't fix our issue.

[joewIST]

We tried that but unfortunately it doesn't resolve our issue.

[lemonCMS]

Is there any progress on this issue?

[FabianGosebrink]

The cleanest solution would be to queue up the refreshes to guarantee a sequential order🤔🤔🤔 If that is possible. Have to test, but afair the tab gets a new instance of the lib, so basically we have to distinguish between what is being renewed currently. Maybe we can move the renewal information to the specific entry in the LS. Wdyt?

[sebastiandenis]

We have the same issue :/ (v. 16.0.1)

[Ghostbird]

@FabianGosebrink I think most proposed workarounds are trying to achieve this. I tried a random renewTimeBeforeTokenExpiresInSeconds for example, assuming that it would sequence the refreshes, but that didn't work.

[sebastiandenis]

@FabianGosebrink is there any chance to fix this anytime soon? We've tried many workarounds, but it seems that you can't do too much from the outside of the lib. When this error occurs, the auth data is being reset in the local storage and it affects all the tabs.

[FabianGosebrink]

I would love to but lacking of time :( As soon as I got time I can try to fix this.

[jugarpeupv]

Hi @FabianGosebrink, could you give us a hint in how you think this should be implemented?

I was looking at the implementation suggested on the manfredsteyer/angular-oauth2-oidc using the Lock API

https://github.com/manfredsteyer/angular-oauth2-oidc/pull/1423

Trying to replicate it on this library, but i am currently stuck on linking this library into my application locally with this error. I don't have a clue why this might be happening

Anyway, if you could share your thoughts on this approach, thank you in advanced ^^