Skip to content

Improve Auth/Token-Handling

Description

The current implementation of the token and auth handling has some flaws. This issue aims to solve most of the current problems.

Current Problems

  • Problem of issue #239 (closed)
  • Problem of issue #103 (closed)
  • UFZ Frontend doesn't receive refresh token
  • Routes which should not be accessible by un-authenticated user are still accessible
  • No handling for an expired access token
  • The refresh token is currently not used

Tasks to solve current problems

Problem of issue #239 (closed)

  • In config/auth/schemes/customOIDCScheme.js update the fetchUser method to the following
  async fetchUser () {

    if (!this.check(true).valid) {
      this.$auth.logout();
      return
    }
   ...
  }

Problem of issue #103 (closed)

  • Should be solved with a better (refresh) token handling.
  • Alternatively the current form data could be saved in local storage and after a re login used to prefill the form

UFZ Frontend doesn't receive refresh token

  • Update current login method, so that it includes the "prompt: 'consent'" Parameter
  • This makes it necessary to make to login method institute specific
    • A suitable environment variable must be used to distinguish which login method should be used

Routes which should not be accessible by un-authenticated user are still accessible

  • Use the nuxt-auth module as middleware (Link) to protect routes
  • Either use it explicitly in the concerned component or use a new layout to reduce redundancy

No handling for an expired access token || The refresh token is currently not used

  • if necessary, make the expiration time visible to the user
    • and make it possible to manually refresh the token
  • check the expiration of the access token on every request
    • find a suitable when, when to check for expiration(before the request?, after the request? or both? only on failure?)
    • if refresh token is available and valid, refresh the access token
    • if refresh token is expired, log the user out

HIFIS Refresh token cannot claim new access token in a SPA

  • Currently the token endpoint of the Hifis-IDP requires the service client credentials for grant_type=refresh_token
  • The service client secret is not known by a SPA and should not be required for a refresh token obtained via PKCE-Flow

Acceptance criteria

  • TBA

Reference

Edited by Wilhelm Becker

A HIFIS Service | Privacy | Imprint | Support | Documentation | Changelog | Status