setupAutomaticSilentRefresh() does not schedule refresh for tokens obtained from localStorage

[bedag-moo]

Reproduction

    oauth.configure({
      clientId: environment.openIdConnect.clientId,
      issuer: environment.openIdConnect.issuer,
      scope: "openid profile email",
      redirectUri: window.location.origin + "/",
      silentRefreshRedirectUri: window.location.origin + "/assets/silent-refresh.html",
      timeoutFactor: 0.002,
    });
    oauth.setStorage(localStorage);
    oauth.tokenValidationHandler = new JwksValidationHandler();
    oauth.setupAutomaticSilentRefresh();

1. log in
2. Press F5 to reload the app
3. Wait a bit for the token refresh timeout (which is extra short, to simplify testing)

Expected: Token is refreshed
Actual: Token is not refreshed

Cause

setupAccessTokenTimer() is not invoked, because the service constructor calls restartRefreshTimerIfStillLoggedIn() before the storage is set, causing hasValidAccessToken() to return false.

As an aside, calcTimeout() applies the timeoutFactor relative to the current time. If an almost expired token is reloaded from local storage, the computed grace period may be too short to perform the refresh. Perhaps it would be better to use a fixed size grace period instead?

[manfredsteyer]

Thanks for this information and this great analysis. I've solved those issues as follows:

• restartRefreshTimerIfStillLoggedIn is now called at the end of setupAutomaticSilentRefresh
• calcTimeout uses now the time when the token was retrieved/ stored instead of Date.now()

The fix will land in a few minutes. Can you pls check if it works for you now?

[manfredsteyer]

Its now on npm

[bedag-moo]

Seems to work now :-)

Thanks for the prompt fix!

[codingsteff]

The call restartRefreshTimerIfStillLoggedIn brings our e2e-Protractor-Tests to time out.
It seems like the root-cause is the Observable.delay() operator in setupAccessTokenTimer resp. setupIdTokenTimer

As a workarround I run setupAutomaticSilentRefresh outside of the current zone:

this.ngZone.runOutsideAngular(() => {
      this.oauthService.setupAutomaticSilentRefresh();
    });

Should I make a PR?

[NilsEngelbach]

We also stumbled over this issue.
And for us it is not enough to run the `setupAutomaticSilentRefresh();`` outside of angular, because the timers are also started as soon as the tokens are received.

angular-oauth2-oidc/angular-oauth2-oidc/src/oauth-service.ts

Line 215 in e28e14b

this.events.filter(e => e.type === 'token_received').subscribe(_ => {

       this.events.filter(e => e.type === 'token_received').subscribe(_ => {
            ...
            this.setupExpirationTimers();
        });

angular-oauth2-oidc/angular-oauth2-oidc/src/oauth-service.ts

Line 246 in e28e14b

.delay(timeout)

    private setupAccessTokenTimer(): void {
        let expiration = this.getAccessTokenExpiration();
        let storedAt = this.getAccessTokenStoredAt();
        let timeout = this.calcTimeout(storedAt, expiration);

        this.accessTokenTimeoutSubscription =
            Observable
                .of(new OAuthInfoEvent('token_expires', 'access_token'))
                .delay(timeout)
                .subscribe(e => this.eventsSubject.next(e));
    }

This Observable will make browser.waitForAngular() time out, when running e2e tests with protractor.

@codingsteff Did you find a solution for this? Only Hack i found so far was commenting out this.setupRefreshTimer(); in the constructor of the OAuthService.

angular-oauth2-oidc/angular-oauth2-oidc/src/oauth-service.ts

Line 93 in e28e14b

this.setupRefreshTimer();

[codingsteff]

Sorry no, I didn't take more time in this.