okta-auth-js icon indicating copy to clipboard operation
okta-auth-js copied to clipboard

Published 20 hours ago verified publisher icon okta

Change in tokenManager:renew

Open jpspringall opened this issue 3 years ago • 3 comments

Hi,

Not sure if this was intentional but as the part commit #906 the renew function in tokenManager.ts has been changed about line 412 from

this.state.renewPromise[key] = this.sdk.token.renew(token)
  .then(freshToken => {
	// store and emit events for freshToken
	const oldTokenStorage = this.storage.getStorage();
	this.remove(key);
	this.add(key, freshToken);
	this.emitRenewed(key, freshToken, oldTokenStorage[key]);
	return freshToken;
})

to

// A refresh token means a replace instead of renewal
// Store the renew promise state, to avoid renewing again
this.state.renewPromise = this.sdk.token.renewTokens()
  .then(tokens => {
	this.setTokens(tokens);

	// resolve token based on the key
	const tokenType = this.getTokenType(token);
	return tokens[tokenType];
})

The difference between the two renew functions is:

In the previous version, the call to this.sdk.token.renew(token) would use the scopes from the token being renewed in the renewal request.

In the current version, the call to this.sdk.token.renewTokens() uses the scopes as supplied by options.scopes

This means that if the tokens were originally acquired by a call similiar to:

getWithoutPrompt({
  clientId: this.environmentService.authentication.clientId,
  responseType: ['code'],
  scopes: this.environmentService.authentication.authScope,
  state: this.environmentService.authentication.state,
  nonce: this.environmentService.authentication.nonce,
  sessionToken: payload
})

The subsequent calls to renew may fail if the option.scopes has not been updated to the same scopes used in the original request.

Thanks

James

jpspringall avatar Sep 20 '21 10:09 jpspringall

Thanks for pointing this out. Internal Ref: OKTA-429429

oleksandrpravosudko-okta avatar Sep 20 '21 11:09 oleksandrpravosudko-okta

@jpspringall We have pushed a fix for this issue in @okta/okta-auth-js version 5.7.0. If you are able, please confirm if updating to this version resolves your issue.

aarongranick-okta avatar Nov 03 '21 23:11 aarongranick-okta

Thanks for this @aarongranick-okta. Unfortunately I'm not in a position to test at the moment, However looking at the code it looks like it will work, I'll reopen the ticket if if i find it doesnt work as part of next upgrade cycle.

Thanks

James

jpspringall avatar Nov 05 '21 04:11 jpspringall