HttpInterceptor does not allow correct workflow without refresh token fallback. #627
Closed
6 tasks done
Labels
bug
This points to a verified bug in the code
Checklist
Description
Due to browser restrictions we had to disable the refresh token fallback (useRefreshTokensFallBack: false) and are now catching the according potential errors as described (https://auth0.github.io/auth0-spa-js/interfaces/Auth0ClientOptions.html#useRefreshTokensFallback) during the login flow, which works correctly.
We have API routes that are accessible anonymously but provide additional information for logged in users. They are configured using "allowAnonymous: true". When the access token for these expires, but the user is authenticated, we would like to do a loginWithRedirect to retrieve a new token.
The problem is that the AuthHttpInterceptor does a "getAccessTokenSilently()" (which will fail with "missing_refresh_token"), then checks if the route is configured as "allowAnonymous" and ignores the error if this is the case, executing the request without a token and without a possibility to react to the error as a result. (See https://github.com/auth0/auth0-angular/blob/main/projects/auth0-angular/src/lib/auth.interceptor.ts#L72)
I can see two possible solutions:
tl;dr Current AuthHttpInterceptor implementation does not comply with recommended workflow for "useRefreshTokensFallBack: false" configuration (see example https://auth0.github.io/auth0-spa-js/interfaces/Auth0ClientOptions.html#useRefreshTokensFallback)[](url)
Reproduction
Additional context
No response
auth0-angular version
2.2.3
Angular version
18.0.0
Which browsers have you tested in?
Chrome, Firefox, Other
The text was updated successfully, but these errors were encountered: