Improve Auth/Token-Handling
Description
The current implementation of the token and auth handling has some flaws. This issue aims to solve most of the current problems.
Current Problems
- Problem of issue #239 (closed)
- Problem of issue #103 (closed)
- UFZ Frontend doesn't receive refresh token
- Routes which should not be accessible by un-authenticated user are still accessible
- No handling for an expired access token
- The refresh token is currently not used
Tasks to solve current problems
#239 (closed)
Problem of issue- In
config/auth/schemes/customOIDCScheme.js
update the fetchUser method to the following
async fetchUser () {
if (!this.check(true).valid) {
this.$auth.logout();
return
}
...
}
#103 (closed)
Problem of issue- Should be solved with a better (refresh) token handling.
- Alternatively the current form data could be saved in local storage and after a re login used to prefill the form
UFZ Frontend doesn't receive refresh token
- Update current login method, so that it includes the "prompt: 'consent'" Parameter
- This makes it necessary to make to login method institute specific
- A suitable environment variable must be used to distinguish which login method should be used
Routes which should not be accessible by un-authenticated user are still accessible
- Use the nuxt-auth module as middleware (Link) to protect routes
- Either use it explicitly in the concerned component or use a new layout to reduce redundancy
No handling for an expired access token || The refresh token is currently not used
- if necessary, make the expiration time visible to the user
- and make it possible to manually refresh the token
- check the expiration of the access token on every request
- find a suitable when, when to check for expiration(before the request?, after the request? or both? only on failure?)
- if refresh token is available and valid, refresh the access token
- if refresh token is expired, log the user out
HIFIS Refresh token cannot claim new access token in a SPA
- Currently the token endpoint of the Hifis-IDP requires the service client credentials for
grant_type=refresh_token
- The service client secret is not known by a SPA and should not be required for a refresh token obtained via PKCE-Flow
Acceptance criteria
- TBA
Reference
- Follow Up of #239 (closed)
- Follow Up of #103 (closed)
- Based on the following meeting notes: confluence link
Edited by Wilhelm Becker