OpenIddict expired refresh_tokens not handled correctly #24390
Description
Is there an existing issue for this?
- I have searched the existing issues
Description
Usage of openIddict expired refresh_tokens not handled correctly, see repro steps for explanation.
Reproduction Steps
I've used the latest ABP studio (2.1.0) to create a new Single Layer application (app-nolayers), solution name SingleLayerApp3, UI Framework Blazor WebAssembly, DB provider EF-Core, DBMS is SQL Server using a localDb conn string, enabled multi tenancy, basic UI theme, no optional modules, 1 language (English default) and adding a Sample CRUD page. Basically using the ABP studio and almost all default setup options.
Now to use refresh_token flow I've updated (according your documentation):
- SingleLayerApp3.Host > SingleLayerApp3HostModule.cs > PreConfigureServices
Here I've set tokenlifetimes
PreConfigure<OpenIddictServerBuilder>(builder =>
{
builder.SetAccessTokenLifetime(TimeSpan.FromSeconds(20)); // Access token expires in 20 seconds
builder.SetRefreshTokenLifetime(TimeSpan.FromSeconds(60)); // Refresh token expires in 60 seconds
});- SingleLayerApp3.Blazor > SingleLayerApp3BlazorModule.cs > ConfigureAuthentication > AddOidcAuthentication
Here I added the offline access scope
options.ProviderOptions.DefaultScopes.Add("offline_access");- SingleLayerApp3.Host > OpenIddictDataSeedContributor.cs > CreateApplicationsAsync
Here I updated the configuration for the blazor client to allow the offline access scope.
scopes: [.. commonScopes, OpenIddictConstants.Scopes.OfflineAccess],- I recreated the client in the database to make sure this new configuration is saved and used.
Now when I start the debugger on the SingleLayerApp3.Host in https profile it will open up the browser and everything as default as it is will start as expected. Clicking the Login button (top right) will open the login page and when providing the admin creds it will login. Looking at the network calls in devtools I see refresh_token is available and also expiration times are set correctly.
When the access_token expires after 20 seconds, I navigate to Administration > Roles page and I correctly see a navigation to /connect/token using the refresh_token (flow) and returning a new access_token/refresh_token.
When I wait for the refresh_token to expire after 60 seconds and I navigate then to Administration > Users page, I see a navigation to /connect/token that fails because refresh token is expired, but the Users page is still rendering its content, while I expect that I get an Unauthorized popup or even get redirected back to the login page.
I even tried setting the option: builder.DisableSlidingRefreshTokenExpiration(); // Do not allow sliding expiration for refresh tokens to make sure refresh_tokens are not in a sliding window.
Expected behavior
Expected behavior is that when an expired refresh_token results in a context.Reject, then the refresh_token should be revoked using the /connect/revocat endpoint and maybe even redirect back to login page.
Actual behavior
See repro steps
Regression?
Don't know, haven't paid much attention on this until now.
Known Workarounds
No response
Version
10.0.1
User Interface
Blazor
Database Provider
EF Core (Default)
Tiered or separate authentication server
None (Default)
Operation System
Windows (Default)
Other information
No response