Add support for automatic, transparent refresh of access tokens

[mooreds]

Add support for automatic, transparent refresh of access tokens

Problem

Currently, if I am making requests of an external API who is using the access token retrieved from the OAuth server as a credential, I have to catch a failure/access denied request, and then manually call the refresh token endpoint, then repeat my call.

Solution

It would be great if the SDK automatically renewed the access token without any work on my part.

One option would be to have the server side SDK code send down a cookie that expired just before the access token did. This cookie could contain no secrets, so it could be readable by JS. We could set a timer to check for this cookie regularly. When the cookie is gone/expired, the SDK js could call out to the refresh token endpoint and get a new access token.

There may be other approaches that would work.

Alternatives/workarounds

n/a

Additional context

FusionAuth/fusionauth-issues#1674 outlines this functionality as well.

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[andrewpai]

Our latest React SDK has some support for this now. We didn't want to add in eager refresh, since that could lead to millions of browsers eagerly and unnecessarily refreshing tokens for a given application, generating a lot of unneeded traffic. Instead, we added support for a non-http only cookie that holds the expiration time, and a refreshToken() function that will only actually perform the refresh if the access token is near its expiration time. The idea is to call refreshToken() prior to making a call to the back end.

This cookie is set in our new hosted OAuth back end (released in 1.45), and you can see an example of it in our example server code as well: https://github.com/FusionAuth/fusionauth-example-react-sdk/blob/main/server/routes/refresh.js#L34

[JakeLo123]

I would recommend extending this by:

1. Returning a promise from that method — it currently returns void, which blocks the consuming application’s access to the result of the API call.
2. Providing an accessTokenExpirationMoment value returned from the SDK. A consuming app can get this from their cookies, but that’s not documented.

This provides missing context so that consuming apps can manage refreshing tokens to fit their need without unneeded API calls.

I estimate that this would take 0.5 to 1 days to implement. If you think that's worth it @mooreds, I'll get hacking.

[mooreds]

Why can't the library keep track of the time and then call refresh itself when the moment is near (maybe document that it will do so sometime 30 seconds before the access token expires)? Why do we have to have the user of the SDK know that they need to call refreshToken() or check the accessTokenExpirationMoment?

What am I missing?

Also @JakeLo123 , did you review FusionAuth/fusionauth-issues#1674 . The submitter had some good ideas.

Finally, don't forget that when you call refreshToken(), you might get a new refresh token as well as an access token so we'd need to make sure to update the refresh token value.

[JakeLo123]

Why can't the library keep track of the time and then call refresh itself when the moment is near

I think we can accomplish it that way, and include it in documentation 👍

Finally, don't forget that when you call refreshToken(), you might get a new refresh token as well as an access token so we'd need to make sure to update the refresh token value.

Noted!

[mooreds]

I think we should not implement this right now, since for now we want to focus on bug fixes. And this isn't a bug.

But please add this to the list of possible enhancements and we'll prioritize them once the bug fixes are done.