Refresh token working, but still getting logged out!?
I implemented refresh tokens in React with
signInSilent which works when I set the ttl on the access token to 1 minute for example. So I thought everything is great, but when I set the access token ttl to 1 hour and the refresh token ttl to 31 days I would expect the user to have to login once a month. However the next day I'm forced to login again.
I don't understand why this is happening and I'm wondering if it has something to do with Zitadel itself??13 Replies
I would love to post the Provider code but Discord does not allow me to post that many characters !?!???
JustPaste.it - paste text and share with your friends
The quickest way to share text and images with other people
hi @tamis0583 thanks, I will look into it
hi @tamis0583 I think I understood your problem, this is happening because of Refresh Token Idle Expiration.
Changing refresh token TTL is one thing but how fast are you using is another thing.
You can read about it on our blog here
This might help you understanding as to WHY is it happening 🙂
@Rajat Singh I have set the Refresh Idle Expiration to 365 days. So I wouldn't expect it to be a problem.
My application works but the next day I'm forced to login again.
It's hard to debug as I can't really replicate the issue easily.
If I set the access token lifetime to something like 0.01 I can see the refresh token is used properly.
Hi @tamis0583 thanks for clarifying this, let me ask this
The problem is that I get back "active":"False" when I introspect the token a few times in a row.
@Rajat Singh
So just using the access_token and checking it's validity is fine. And the access_token is refreshed with the refresh_token. But if we do introspection to many times in a row (that's what I think) then it returns {"active":false} meaning zitadel thinks the token is no longer active.
Is this maybe because zitadel doesn't like to many introspection requests?
hi @tamis0583 I discussed this a bit internally.
The app must use the
refresh_token grant to exchange expired access tokens with the refresh token.
The original login flow must have the offline_access scope for the app to obtain the refresh token first.
lmk if this helpsHey @Rajat Singh, I already have the offline_access scope added. I have tested the refresh token by setting the lifetime of the access_token to like a minute. I can see that it works. Also my Refresh Token Idle Expiration is 31 days. Yet I still get logged out for some reason.
The access_token is refreshed with the silent login (see the code). So that all works.
Hey @tamis0583 the only thing I can deduce is that it only mean that a refresh token can be idle for 31 days before not being able to use to get new tokens (not to login).
I don't know any react so I might have to chekc with an engineer who knows typescipt
@Rajat I think I'll make a github issue about this because it's a bug.