Handle 'refreshToken' flow

[don-bluelinegrid]

Paul -

How does aurelia-auth support the full Oauth2 use case implementation, specifically regarding expiration and "refresh tokens"?

My understanding of the OAuth2 intention is that this sequence should occur -

1. Client makes request with accessToken (short-lived token).
2. Server/provider receives request; responds with 401 Unauthorized for expired token, otherwise returns response.
3. If client received 401 Unauthorized response, client re-tries authentication request for token with grant-type:refresh, using refreshToken instead of accessToken.
4. Server returns a new accessToken to client; client stores this to replace previous accessToken.
5. Client retries original request using new token.

Since this aurelia-auth module is strongly based on OAuth, is there anything in the module to help with this pattern of detecting accessToken expiration in a .catch() Promise block, and using the refreshToken to obtain/store a new accessToken? Or is the expectation that all consumers/developers using the module will implement this sort of logic?

Thanks,
Don

[paulvanbladel]

Dear Don,

Thank you so much for raising this question/topic.
To be honest, I should seriously study the whole refresh token material more in depth.
I have seen so many refresh token implementation/interpretations which from security perspective where like playing with fire.
Maybe interested people can share thoughts in the thread on how we come to improving aurelia-auth with respect to refresh tokens.

Warm regards
paul.