-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support getAccessTokenSilently
for multiple audiences in parallel
#1253
Comments
Thanks for opening this. I want to mention that the recommendation is to use one logical API, as per https://auth0.com/docs/get-started/apis/set-logical-api. You can still use mutliple APIs, and have proper permission management between the different APIs (even for customer/internal etc). But the benefit is that the authorization flow is simplified by using a single logical API and would avoid the issue you are having here. When using multiple APIs, the behavior you are seeing is expected and we encourage you to look into adopting the pattern mentioned in the URL above.
The lock was mainly implemented to avoid simultaneously contacting auth0's |
Sorry for commenting months later @frederikprijck, but does this mean this is not a feature that is likely to be implemented? We are hoping to run at least 2 calls to I can appreciate the idea of having a single logical API, but I'm not sure if it helps in our case, unless we just abandon the idea of having multiple client ids. Please let me know if I'm mistaken, I'm relatively new to auth0, but otherwise it still seems like it is worth changing something about the lock in |
I am not sure i see why it cant use the same client id. That said, i believe two different client ids is different than two audiences, and i can see it could make sense to have a lock be bound to the client id, but i believe it makes less sense in your use case, but more when we consider two tabs with two different application. Also a logical API solves multiple audiences, not multiple client IDs. But I would recommend reconsidering if u can use a single client id. Even though it would help for your usecase, i don't believe this to be something that can be prioritized on the short term. That said, maybe a PR may be accepted for this if u have a strong need, but i redirect that to @gyaneshgouraw-okta and @nandan-bhat . |
Absolutely. Thanks very much for the prompt and helpful reply. To try to explain, our use case is that we would prefer to use different client ids to maintain separation of concerns between each host page and this shared embedded application, so that it's more portable (e.g. it does not need each client it's hosted with to be configured with the required claims). Hopefully there is a possible solution I or someone else can make a PR for, but in the meantime, we'll look into alternatives. Edit: after reading through the code for the |
Sorry @wuunwkn, but I'm not sure what that link is meant to indicate. Does redhat have a similar problem? |
Checklist
Describe the problem you'd like to have solved
It's impossible in the current implementation to get an access token for multiple different audiences in parallel, as the client acquires a global lock prior to fetching a token. We have the following code snippet:
But in practice, all of the networking is sequential. Since the page cannot fully load until both tokens are available, this adds delays that are impossible to reduce with the current implementation.
Describe the ideal solution
If I call
getAccessTokenSilently
in parallel with two different audiences, I would like the resulting network request to fire in parallel.Alternatives and current workarounds
Using localStorage caching is an alternative we've considered, but does not solve the initial login flow when the tokens are not cached, and has obvious security implications.
I've seen recommendations for changing the structure to use scopes instead of audiences, and relying on a single token, but I'd like to keep separate tokens for each of the APIs.
Additional context
Here's a screenshot of the chrome profiler, you can see a lot of time being spent waiting for some of these token calls to come back (the
authorize
andtoken
network calls are all auth0)We're working on improvements to the load times of our dashboard, and this is the biggest contributor to latency. The 3 consecutive authentication iframe flows take a combined 2-3 seconds, which adds noticeable delay.
It seems like the lock was implemented to avoid multiple processes fetching the same token, but it seems logical that we could fetch tokens for different audiences in parallel, reducing the impact of these expensive network calls.
The text was updated successfully, but these errors were encountered: