Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Persisting Token Refresh #308

Open
longden opened this issue Jul 25, 2024 · 1 comment
Open

Persisting Token Refresh #308

longden opened this issue Jul 25, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@longden
Copy link

longden commented Jul 25, 2024
edited
Loading

Describe the feature request?

Currently, there is no mechanism for the refresh token network call to outlive the suspend function(s) that call it. This can be observed in the sample by performing a token refresh, navigating away, then back, and clicking refresh. Instead of listening to the ongoing token refresh, a new request is made.

A common pattern for apps is to make a network request and, within an interceptor, fetch an access token if expired and attach it to the request. This approach can lead to any network call that is cancelled (due to timeout e.g. a short rx .timeout or navigating away from the app, especially if these calls are viewModelScoped) potentially cancelling the ongoing token exchange. This seems counterintuitive when refresh tokens are one-time use and require synchronization to ensure only one call is made. While the CoalescingOrchestrator helps in some cases it doesn't help with the scenario above. (While a grace period can be set up on the Okta side, it increases the chance of a replay attack and may not be suitable for all use cases.)

Although each client can implement a wrapper around this feels common enough with enough 'gotchas' that it might be better solved through the library. Maybe through a publish/subscribe solution, having the refresh work kick off in a separate longer-lived scope, or even a service might be more appropriate given the requirements.

This brings me to two questions:
1. Should the library provide some assistance around this?
2. Is there a suggested way of handling this with respect to this library for those who use the interceptor pattern described above?

New or Affected Resource(s)

Token Refresh

Provide a documentation link

No response

Additional Information?

No response
@longden longden added the enhancement New feature or request label Jul 25, 2024
@rajdeepnanua-okta
Copy link
Contributor

@longden, thanks for filing this suggestion. There is an accessTokenInterceptor in Credential class that can be attached to an OkHttpClient, which is not tied to any coroutine scope. The interceptor attaches an accessToken to your request, and if it's expired, refreshes automatically. The SDK internally takes care of ensuring only one refresh request is made at any time. This should address your use case if I understand correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@longden @rajdeepnanua-okta