Automatic logout on refresh with invalid refresh_token instead of throwing exception

[thomasmicro]

Describe the problem

If a refresh using invalidated refresh_token is tried using the example-code, the whole nodeJS-App crashes. It is basically the same Issue as auth0/auth0-spa-js#668 on the client-side.

What was the expected behavior?

• the user is automatically beeing logged out of the app (like in [SDK-1739] Recover and logout when throwing invalid_grant on Refresh Token auth0-spa-js#668)
• the App doesn't crash

In case an automatic logout is not desired, the exception-handling should be documented in the examples.

Reproduction

My example is basically https://github.com/auth0/express-openid-connect/blob/master/EXAMPLES.md#5-obtaining-and-using-refresh-tokens or https://github.com/auth0/express-openid-connect/blob/master/examples/access-an-api.js.

• I log into the PoC
• on the identity provider, I manually invalidate the session (The error also appears when the refresh_token had expired naturally.)
• I let the access_token expire and refresh the PoC

The logs show:

Server ready
(Use `node --trace-warnings ...` to show where the warning was created)
UnauthorizedError: Authentication is required for this route.
    at requiresLoginMiddleware (/opt/PoC/node_modules/express-openid-connect/middleware/requiresAuth.js:30:19)
    at Layer.handle [as handle_request] (/opt/PoC/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/opt/PoC/node_modules/express/lib/router/index.js:317:13)
    at /opt/PoC/node_modules/express/lib/router/index.js:284:7
    at Function.process_params (/opt/PoC/node_modules/express/lib/router/index.js:335:12)
    at next (/opt/PoC/node_modules/express/lib/router/index.js:275:10)
    at /opt/PoC/node_modules/express-openid-connect/middleware/auth.js:38:5
    at Layer.handle [as handle_request] (/opt/PoC/node_modules/express/lib/router/layer.js:95:5)
    at trim_prefix (/opt/PoC/node_modules/express/lib/router/index.js:317:13)
    at /opt/PoC/node_modules/express/lib/router/index.js:284:7

/opt/PoC/node_modules/openid-client/lib/helpers/process_response.js:45
      throw new OPError(response.body, response);
            ^
OPError: invalid_grant (Token is not active)
    at processResponse (/opt/PoC/node_modules/openid-client/lib/helpers/process_response.js:45:13)
    at Client.grant (/opt/PoC/node_modules/openid-client/lib/client.js:1237:26)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async Client.refresh (/opt/PoC/node_modules/openid-client/lib/client.js:984:22)
    at async RequestContext.refresh (/opt/PoC/node_modules/express-openid-connect/lib/context.js:30:23)
    at async /opt/PoC/app.js:39:24 {
  error: 'invalid_grant',
  error_description: 'Token is not active'
}

Environment

• Version of this library used: 2.5.0
• Which framework are you using, if applicable: expressJS
• Other modules/plugins/libraries that might be involved:
• Any other relevant information you think would be useful:

[adamjmcgrath]

Hi @thomasmicro - thanks for raising this

the user is automatically beeing logged out of the app (like in SDK-1739 Recover and logout when throwing invalid_grant on Refresh Token auth0-spa-js#668)

We can't presume this is the desired behaviour. If you've estabilised a session on a webapp, you might not want to remove it just because you can't access an API - this is different from a SPA in that its "session" is defined by whether it can access an API.

In case an automatic logout is not desired, the exception-handling should be documented in the examples.

The examples are lightweight demonstrations of how to use the API, it would be a bit heavy handed to add error handling to them. In the example you point to - you should also add error handling to the request, so your app doesn't crash if you get an unexpected response from https://api.example.com/products, but I feel they'd lose their focus if you added all that.

[thomasmicro]

Thanks for the answer and sorry for my late reply!

I don't quite get in which use-case you want to keep someone logged in if the 'Token is not active'.

My favorite solution would be #246 including my comment there.

I would really expect to have at least one real-world example that also lists all the edge-cases you need to look for. So that for a completly normal use-case you can just copy&paste the pieces together and have production-grade code.

Best Regards!
Thomas

[adamjmcgrath]

I don't quite get in which use-case you want to keep someone logged in if the 'Token is not active'.

Step up auth is one use case I can think of.

So that for a completly normal use-case you can just copy&paste the pieces together and have production-grade code.

I think it's beyond the scope of those examples to do this, they're just simple demonstrations of how to use the api

My favorite solution would be #246 including my comment there.

Thanks for your comment, we're going to stick with the API as it is for now, and you'll have to write those couple of lines yourself to refresh the token. But we're always reviewing the API, so will take it into consideration if this feature proves to be popular.