Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client creates a new token for each page load/refresh #53

Open
marten opened this issue Jul 5, 2016 · 5 comments
Open

Client creates a new token for each page load/refresh #53

marten opened this issue Jul 5, 2016 · 5 comments

Comments

@marten
Copy link
Contributor

marten commented Jul 5, 2016

I'm not sure what's going on, but if you look at the Network requests you'll see a POST /oauth/token every time, which then generates a new token on the Panoptes side. Shouldn't the client, after login, stick the access token, refresh token and expiry time somewhere in a cookie/localstorage and keep using that?
@marten marten assigned camallen and brian-c and unassigned camallen Jul 5, 2016
@eatyourgreens
Copy link
Contributor

Should be fixed by #75, which stores the token details in session storage. New windows or tabs will probably still issue token requests, because they don't share session storage.

@eatyourgreens
Copy link
Contributor

Actually, reading this again, this might be a bug in auth.js rather than oauth.js.

@camallen
Copy link
Contributor

Sticking the token in local storage could be an issue for shared computers, ideally a sign out event will clean this up combined with a check on expired tokens during page load, etc.

However we can certainly be smarter about token expiration and re-use than what we currently are. Specifically auth.js and oauth.js share common concerns around token lifecycle events but don't share any code. Ideally we should have different strategies:

  1. credential flow current auth.js
  2. implicit flow current oauth.js
    To get the token that then pass into a common token re-use and management with hooks to renew tokens, etc.

@eatyourgreens
Copy link
Contributor

eatyourgreens commented Jun 22, 2018
edited
Loading

This is called from Auth.checkCurrent. I'm not 100% sure what current thing that is checking, but I think it's the current user.

panoptes-javascript-client/lib/auth.js

Lines 39 to 64 in 4ef31ec

_getBearerToken: function() {
console.log('Getting bearer token');
if (this._bearerToken) {
console.info('Already had a bearer token', this._bearerToken);
return Promise.resolve(this._bearerToken);
} else {
var url = config.host + '/oauth/token';
var data = {
'grant_type': 'password',
'client_id': config.clientAppID,
};
return makeHTTPRequest('POST', url, data, JSON_HEADERS)
.then(function(request) {
var token = this._handleNewBearerToken(request);
console.info('Got bearer token', token.slice(-6));
return token;
}.bind(this))
.catch(function(request) {
// You're probably not signed in.
console.error('Failed to get bearer token');
return apiClient.handleError(request);
});
}
},

@eatyourgreens
Copy link
Contributor

eatyourgreens commented Jun 23, 2023
edited
Loading

Both credential flow (auth.js) and implicit flow (oauth.js) are legacy now and not recommended for use.

OAuth 2.1 doesn’t allow the credentials flow at all.

@eatyourgreens eatyourgreens mentioned this issue Jun 24, 2023
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@marten @eatyourgreens @camallen @brian-c