angular-oauth2-oidc: Interceptor sends request with expired token

@bjornharvold I confirm that I do this after calling loadDiscoveryDocumentAndTryLogin when the token is still not valid 👍

@santosmken Smart ! I think your piece of code fixes an authentication issue I do have when I am pausing the application while debugging. Cheers 🎉

@bjornharvold I can confirm that it works. I just missed before having an if statement to check if the access token is still valid. And that is the correct place to remove the storage keys.

Steps will be:

1. loadDiscoveryDocumentAndTryLogin()
2. !this.oauthService.hasValidAccessToken() (falsy)
3. this.AUTH_STORAGE_ITEMS.map((item: string) => { sessionStorage.removeItem(item); });

Additional note that I also have this event for removing the storage keys.

if (event.type === 'token_refresh_error') { this.AUTH_STORAGE_ITEMS.map((item: string) => { sessionStorage.removeItem(item); }); }

However… @mlbiche’s solution works just fine when you remove the storage items after having called loadDiscoveryDocumentAndTryLogin() and the token is still not valid.

I am seeing this issue after using silentRefresh in the initial login sequence from https://github.com/jeroenheijmans/sample-angular-oauth2-oidc-with-auth-guards/blob/master/src/app/core/auth.service.ts#L111 and the session on the idp is no longer valid. So the refresh fails, but the access token is not removed automatically and used in a subsequent call. Removing them as suggested by @mlbiche solves the issue, but I think this should be part of the lib.

I opened a PR for a partial solution to the following subset of the problem described:

When restarting the application, which would trigger loadDiscoveryDocument and all that, the access_token is successfully renewed. BUT, since the interceptor currently only checks for the presence of any Access-Token, instead of a valid one, it let’s requests through attaching the old, outdated token if the refresh isn’t finished, yet. This returns 401 responses, which, if your error-handling is weird (which is not untypical 😅), can even lead to redirects to error pages which delete the hash fragment that would be required to login. Welcome to login-loop.

I can’t solve silent refresh not working, but this is easy, simply make the interceptor check the validity of the token before sending it.

https://github.com/manfredsteyer/angular-oauth2-oidc/pull/1317/files

Cheers guys! Very helpful.

It is executed when loadDiscoveryDocumentAndTryLogin is done in the initialisation method of my Authentication service.

Here is my AUTH_STORAGE_ITEMS :

private readonly AUTH_STORAGE_ITEMS: string[] = [
    'access_token',
    'access_token_stored_at',
    'expires_at',
    'granted_scopes',
    'id_token',
    'id_token_claims_obj',
    'id_token_expires_at',
    'id_token_stored_at',
    'nonce',
    'PKCE_verifier',
    'refresh_token',
    'session_state'
  ];

Once again, it is a personal implementation that works for me and may (absolutely ?) not be standard. Hope it helps 😉

I am having this problem when I use localStorage instead of sessionStorage. If I have a valid access token and I close the tab, I wait until the token should be expired, and I open the tab again… Then the expired access token is still present on my localStorage and is still being sent on the requests.