Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Cross tab RT token usage better #174

Open
mooreds opened this issue Dec 6, 2024 · 2 comments
Open

Support Cross tab RT token usage better #174

mooreds opened this issue Dec 6, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@mooreds
Copy link
Contributor

mooreds commented Dec 6, 2024

Support Cross tab RT token usage better

Problem

When you use a micro-front end and store your refresh tokens in cookies, refreshing can happen from multiple JS requests, causing issues. In particular, if you have one time use tokens, this scenario can happen:

  • JS in component 1 refreshes access token, gets RT A as well
  • JS in component 2 refreshes access token, gets RT B and invalidates RT A

Multiply by many possible components, and you get a thundering herd of RT requests.

Solution

The JS client should handle RT management across tabs.

Alternatives/workarounds

Handle the token management in client side code.

Additional context

Related Issues:

Internal:

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
@mooreds mooreds added the enhancement New feature or request label Dec 6, 2024
@lyleschemmerling
Copy link

In your example what are the actual calls being made? I want to make sure that I understand this scenario fully.

A mermaid chart of the http requests would also be acceptable :)

@mooreds
Copy link
Contributor Author

mooreds commented Dec 7, 2024

Assume Component 1 and Component 2 are storing both AT and RT as cookies. The RT is one time use.

sequenceDiagram
    participant Component1 as JS Component 1
    participant Component2 as JS Component 2
    participant API as API
    participant Auth as Auth Server
    
    Component1->>API: Call API Endpoint
    API-->>Component1: API Response
    Component2->>API: Call API Endpoint
    API-->>Component2: API Response
      Note right of Component2: AT expires, components know because of at_exp

    Component1->>Auth: Request New AT/RT
    Auth-->>Component1: New AT/RT (stored in cookie)
    Component2->>Auth: Request New AT/RT
    Auth-->>Component2: New AT/RT (stored in cookie)
Loading

Ideally Component2 would realize that there was already a new AT available in the cookie.

Now imagine this happens for 20 components on a page, and you are requesting 20x the RTs needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mooreds @lyleschemmerling