Skip to content
This repository was archived by the owner on Feb 25, 2019. It is now read-only.

Transparently refreshing access tokens #1

Description

@tomkersten

Problem: When an access token expires, we must get a new one so the user can both remain logged in and make requests to authorized service endpoints.

Ideally:

  1. The process of refreshing should be invisible to the user. If an application "requires authentication" on all routes and auto-redirects to the anvil server, it will get a new token back (via the normal auth flow). However, this is obviously not using the "refresh" token that is in place...and it causes a redirect & full page refresh.
  2. Refreshing should not take place as part of a user-initiated task. Ideally the token would be "auto-refreshed" prior to its expiration to prevent subsequent requests to service endpoints the application depends on from failing. It would be relatively trivial to monitor outgoing request and refresh only when necessary. However, I feel this is less than ideal because:
    1. The next service API call would incur the cost of the refresh request in addition to the API service request itself.
    2. If multiple API calls were to take place in parallel, I believe a race condition/error would present itself at some point (one succeeds, one does not...how does failed request recover).

Any ideas on how to handle this? (my primary concern with this is in the context of an AngularJS application...but feel free to interpret outside that context as well if desired)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions