Angular-auth-oidc-client: Silent-Renew Reload Race Condition
While trying to figure out an unrelated silent-renew issue I ran into a race condition that will most likely be an extremely rare occurrence.
Library Version: 9.0.3
Angular Version: 6.1.0
Description: If you reload a page during the time-frame that a silent-renew is running then the silent-renew will stop working.
Assumptions
- The application only calls authorize if a user is not already authenticated in the library
- The authenticated user's information is not expired (i.e. just logged in)
Easiest way to reproduce:
- Add a breakpoint on the last line of the OidcSecurityService.refreshSession method (return this.oidcSecuritySilentRenew.startRenew(url);)
- Reload the page while the execution is paused
Expected Behavior:
Silent-Renew heartbeat will continue to monitor/validate the token
Actual Behavior:
Silent-Renew heartbeat thinks that silent-renew is running so it will never kick off validation
Cause:
The only place where the running flag is changed is within the JWKs retrieval (caused by the authorized callback) which should never be triggered again unless the application manually triggers it
Work-Around / Fix
Clear the session variable storage_silent_renew_running on startup
Issue Indicator
If you enable the library logging you will see silentRenewHeartBeatCheck info that looks like the following (no timeout check between them):
silentRenewHeartBeatCheck
silentRenewRunning: true
idToken: true
_userData.value: true
silentRenewHeartBeatCheck
silentRenewRunning: true
idToken: true
_userData.value: true
Cracien
All 2 comments
I have found that this dovetails into another more common issue. If I have silent-renew enabled and go through a cycle of sleep/wake on my laptop (or just disconnect the internet); if the javascript triggers prior to my internet connection coming back up then the silent-renew will end up being disabled (the authorize page errors out because no internet and the running flag stays permanently enabled).
It may be worth it to track the start time of the silent-renew along with running flag and have it time out after a certain amount of time in order to correct both scenarios.
Cracien
on 7 May 2019
fixed in version 11
FabianGosebrink
on 26 Apr 2020
Related issues
nizarkhsib
路
4Comments
profet23
路
3Comments
sdev95
路
3Comments
JohnGalt1717
路
3Comments
hannesrohde
路
3Comments
Most helpful comment
I have found that this dovetails into another more common issue. If I have silent-renew enabled and go through a cycle of sleep/wake on my laptop (or just disconnect the internet); if the javascript triggers prior to my internet connection coming back up then the silent-renew will end up being disabled (the authorize page errors out because no internet and the running flag stays permanently enabled).
It may be worth it to track the start time of the silent-renew along with running flag and have it time out after a certain amount of time in order to correct both scenarios.