Angular-oauth2-oidc: Silent refresh with implicit flow do not reload all the claims

Created on 16 Oct 2019 · 4Comments · Source: manfredsteyer/angular-oauth2-oidc

Describe the bug
As the title said when the auth_token expire and the client oidc and call a silent refresh it does not reload all the claims, but only the claims related to the auth_token

To Reproduce
Steps to reproduce the behavior:
1, In AuthConfig set a low timeoutFactor (like 0.05)

Log in the angular app and load the userProfile
Check the claims
wait for a silent refresh
Re-check the claims

Expected behavior
All the claims must be reloaded

Desktop (please complete the following information):

Browser Chrome
Version 8.0.4

bug

Source

ghost

Most helpful comment

Hi,

I forgot to mention in the post:
This problem occur in a project that use implict-flow
I see the same problem in a project with Code flow.

I doubt it is related to #514 because the problem (bug?) is different. In my case it does not reload the claims at all, if I force the reload the claims are correct

A possible workaround is this:

this.oauthService.events.subscribe(event => {
            if (['silently_refreshed', 'token_refreshed'].indexOf(event.type) > -1) {
                this.oauthService.loadUserProfile();
            }
        });

But i am not sure it's the best way to fix the problem.

ghost on 18 Oct 2019

👍2

All 4 comments

Quick question: would you consider this possibly related to- or even a duplicate of #514?

jeroenheijmans on 16 Oct 2019

Hi,

I forgot to mention in the post:
This problem occur in a project that use implict-flow
I see the same problem in a project with Code flow.

I doubt it is related to #514 because the problem (bug?) is different. In my case it does not reload the claims at all, if I force the reload the claims are correct

A possible workaround is this:

this.oauthService.events.subscribe(event => {
            if (['silently_refreshed', 'token_refreshed'].indexOf(event.type) > -1) {
                this.oauthService.loadUserProfile();
            }
        });

But i am not sure it's the best way to fix the problem.

ghost on 18 Oct 2019

👍2

The real problem is that on automatic refresh the storage (and so claims) are overwritten with id token claims.
When only very few claims live in Indentity token and most of them are loaded through userprofile endpoint that cause a problem.

alecrt on 28 Oct 2019

I would reload the user profile after each token refresh in that case. Otherwise, you have a mix of old and new claims. Hence, @lfongaroScp's solution looks good for me.