ExtraParams are not included during token renewal #1524
Comments
|
@MelvinVermeer I assume you're not using refresh tokens? (aka including the |
|
We are not using refresh tokens, that's right. |
|
Slightly related.. when you do work with refresh tokens, the await oktaAuth.token.renewTokens({ extraParams: { organizationId: 'test' } });As you can see here, It would be very useful if both flows would work, and that the |
|
@MelvinVermeer @ljvanschie Do you mind expanding on your use case a bit? Since these appended params won't be consumed by the Authorization Server, I am assuming they are for tracking purposes. If so, perhaps providing a custom http client that appends a header would be sufficient (docs) |
|
Ah yes of course. Our account model is based on organizations. A user can be part of multiple organizations, but claims are dependent of the organization that the token is requested for. To do this, a token inline hook is configured in the Okta access policy, which is a piece of custom code that reads the organizationId from Users in our web app can select the organization they work for from a menu. Then, we |
|
For anyone that comes across this issue, and is in need for a quick workaround. This is the patch (similar to the mentioned PR) that solves the issue for our team in the mean time. diff --git a/node_modules/@okta/okta-auth-js/esm/browser/oidc/TokenManager.js b/node_modules/@okta/okta-auth-js/esm/browser/oidc/TokenManager.js
index 79931e7..fca7212 100644
--- a/node_modules/@okta/okta-auth-js/esm/browser/oidc/TokenManager.js
+++ b/node_modules/@okta/okta-auth-js/esm/browser/oidc/TokenManager.js
@@ -330,7 +330,8 @@ class TokenManager {
return Promise.reject(err);
}
this.clearExpireEventTimeout(key);
- const renewPromise = this.state.renewPromise = this.sdk.token.renewTokens()
+ const extraParams = this.sdk.storageManager.getSharedTansactionStorage().getItem('extraParams');
+ const renewPromise = this.state.renewPromise = this.sdk.token.renewTokens({ extraParams })
.then(tokens => {
this.setTokens(tokens);
if (!token && key === 'accessToken') {
diff --git a/node_modules/@okta/okta-auth-js/esm/browser/oidc/getWithRedirect.js b/node_modules/@okta/okta-auth-js/esm/browser/oidc/getWithRedirect.js
index 449f92d..aa9dcb4 100644
--- a/node_modules/@okta/okta-auth-js/esm/browser/oidc/getWithRedirect.js
+++ b/node_modules/@okta/okta-auth-js/esm/browser/oidc/getWithRedirect.js
@@ -26,6 +26,7 @@ async function getWithRedirect(sdk, options) {
const tokenParams = await prepareTokenParams(sdk, options);
const meta = createOAuthMeta(sdk, tokenParams);
const requestUrl = meta.urls.authorizeUrl + buildAuthorizeParams(tokenParams);
+ sdk.storageManager.getSharedTansactionStorage().setItem('extraParams', tokenParams.extraParams);
sdk.transactionManager.save(meta);
if (sdk.options.setLocation) {
sdk.options.setLocation(requestUrl);
|
|
Internal Ref: OKTA-750886 |
|
@MelvinVermeer @kev1nboer @ljvanschie Are you able to try this branch (#1529) and confirm it works for your use case? |
|
Thank you for the quick action, token renewal works as expected, it keeps using the same extraParams! 🙌 |
|
Thanks for the confirmation. I'll need to add some tests before this can be merged. Should be released shortly |
|
Sounds great. Oh there is one more thing I need to test as well. I checked whether the |
|
@jaredperreault-okta 👍 works for my case. Thanks |
|
I tested it again and unfortunately I don't see the When I inspect the auto-renewal token requests that okta-auth-js performs on the background, I also don't see the |
|
@ljvanschie I misunderstood the |
|
Thanks a lot, it now works good! 🎉 |
|
When do you expect this to be released? Is there anything we can do to help? |
|
This was resolved by #1529 and just released to npm in |
Describe the bug
When signing in using the following snippet, I would expect the same
extraParamsobject to be used when renewing the token.Reproduction Steps?
oktaAuth.tokenManager.renew('accessToken')Observe that in the first call (sign in) the extraParams are in the authorize url, while in the second call (renewal) they aren't.
SDK Versions
System:
OS: macOS 14.4.1
CPU: (12) arm64 Apple M3 Pro
Memory: 63.22 MB / 18.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 18.19.0 - ~/.nvm/versions/node/v18.19.0/bin/node
Yarn: 1.22.22 - /opt/homebrew/bin/yarn
npm: 10.2.3 - ~/.nvm/versions/node/v18.19.0/bin/npm
Browsers:
Chrome: 126.0.6478.127
Firefox: 127.0.2
Safari: 17.4.1
npmPackages:
@okta/okta-auth-js: 7.7.0 => 7.7.0
@okta/okta-react: 6.9.0 => 6.9.0
Additional Information?
Proposed solution #1525
Store the
extraParamsduring the sign in process, and reuse when renewing the token. A working version of this is implemented in PR #1525.Alternative solution
Another way this could work is implementing a second, optional parameter for the renew function with the type
RenewTokensParams.I chose not to implement this solution because it would eventually require changing
getOrRenewAccessToken(). In my opinion having the behavior implicitly is just convenient.The text was updated successfully, but these errors were encountered: