Angular-auth-oidc-client: Refresh Token Flow not working

Hi @DemonICOLI I need to fix this, the refresh token implementation has some parts which need to be implemented. By the way, you should be using silent renew is you are implementing a SPA Angular app. Refresh tokens only make sense for native apps.

Greetings Damien

I encountered this problem too. The issue is, that in the token request with grant_type refresh_token there is no nonce included. Therefore the nonce is also not included in the response from the IDP. But the validation algorithm expects a nonce in the returned id_token. That's why the validation fails.

Now that 10.0.5 is out with refresh token how should this used? Just oidcConfig = { silent_renew: false, use_refresh_token: true} and we're done?

Or is there more to it?

Will it do the refresh X number of seconds before the token is going to expire?

Is this suitable for Angular? Appears to be based on the spec and lots better than hammering at silent_renew like it did before?

Thanks!

silent renew is the way to go for angular apps. SPAs

Is there a reason why?

There is no safe way of storing the tokens in a browser application, so if you were to lose your tokens, the tokens could be used forever without logging in again. Refresh tokens should only be used where tokens can be stored safely, or in trusted applications.

Now that 10.0.5 is out with refresh token how should this used? Just oidcConfig = { silent_renew: false, use_refresh_token: true} and we're done?

Or is there more to it?

If you want to use refresh tokens, you have to set silent_renew to true also. Otherwise in OidcSecurityService.refreshSession(), false will be emitted immediately.

I created a pull request that should handle the case of the failed nonce validation after a refresh token response.