code flow + refresh

[manfredsteyer]

Seems like, we are using password flow when refreshing token with code flow.

[LamboYu]

Another similar issue with code flow + refresh, when useHttpBasicAuth is set to true, refreshToken() doesn't consider this flag and it always appends client-id and client-secret to params instead of headers in BasicAuth. Need to perform a check on useHttpBasicAuth flag here.

[darrylbeck33]

Does that mean that refresh is NOT working for code flow? I am having issues getting it to work and this could be the reason why.

I call this.oauthService.setupAutomaticSilentRefresh() and after the token_expires event is caught I see the following after a successful refresh call to the ID server:

Error performing password flow Error: "Parameter jwks expected!"

Along with token_refresh_error.

If this is indeed a bug, is there any workaround available? I am required to use code flow.

Thank you!

[jeroenheijmans]

Related, or possibly even duplicate: #600

[manfredsteyer]

please retry with version 9 and make sure to not register a tokenValidationHandler for code flow.

[jeroenheijmans]

I successfully tweaked my application in this commit to use the refreshes that are possible currently with code flow, and confirmed this works as expected.

For me personally, #600 will likely remain a blocking issue before I'd switch from Implicit to Code+PKCE though, I'll update that issue with some thoughts.

EDIT: Then again, one thing that is now (esp. as long as #600 is not yet fixed) especially confusing, is that setupAutomaticSilentRefresh does check for the flow type, but silentRefresh() doesn't 😬

[manfredsteyer]

I see. Thx.

[jeroenheijmans]

So I think this issue has now been resolved in version 9, where refreshing tokens with code flow works (except for with iframes, for that we have #600). Closing this one.