Bug: prevent concurrent access token refresh attempts #29

chasecaleb · 2021-11-03T01:08:02Z

Making multiple fetch calls using OAuth2AuthCodePKCE.decorateFetchHTTPClient(fetch) while the access token is expired will result in multiple token refresh calls. Unfortunately this causes issues such as invalid_grant error responses and potentially even rate limiting. For example, gitlab.com rate limits this particular API call to 10 requests/minute.

Here's how I worked around the issue, but it would be ideal to implement this in your library instead:

export const createGitlabOAuth = () => {
  let expiryPromise;
  let invalidGrantPromise;
  return new OAuth2AuthCodePKCE({
    authorizationUrl: 'https://gitlab.com/oauth/authorize',
    tokenUrl: 'https://gitlab.com/oauth/token',
    clientId: process.env.REACT_APP_GITLAB_CLIENT_ID,
    redirectUrl: window.location.origin,
    scopes: ['api'],
    extraAuthorizationParams: {
      clientSecret: process.env.REACT_APP_GITLAB_SECRET,
    },
    onAccessTokenExpiry: async (refreshToken) => {
      if (!expiryPromise) {
        expiryPromise = refreshToken();
      }
      const result = await expiryPromise;
      expiryPromise = undefined;
      return result;
    },
    onInvalidGrant: async (refreshAuthCodeOrToken) => {
      if (!invalidGrantPromise) {
        invalidGrantPromise = refreshAuthCodeOrToken();
      }
      // This is a void promise, so don't need to return the result. Refer to the TypeScript source
      // of OAuth2AuthCodePKCE. Types are great.
      await invalidGrantPromise;
      invalidGrantPromise = undefined;
    },
  });
};

Note: the onAccessTokenExpiry workaround was the important part for the specific scenario I encountered, but I think it makes sense to do in onInvalidGrant too.

The text was updated successfully, but these errors were encountered:

Prevent multiple concurrent token refresh calls if multiple GitLab API calls are triggered while token is expired. For more info, see issue I submitted here: BitySA/oauth2-auth-code-pkce#29

Prevent multiple concurrent token refresh calls if multiple GitLab API calls are triggered while token is expired. For more info, see issue I submitted here: BitySA/oauth2-auth-code-pkce#29 Fixes 200ok-ch#739.

chasecaleb · 2021-11-03T02:30:32Z

For additional context, check out the linked PR in organice: 200ok-ch/organice#740

lf94 · 2022-02-14T16:53:58Z

Thank you again for your explanation and suggested fix! I've just been really busy the past months. Bity development team is practically 2 people for the past year, and yeah, I'm leaving now, so this may not see any updates for awhile. I know personally if I ever need an OAuth2 solution though, I'll be using this one I've created 🙂

chasecaleb mentioned this issue Nov 3, 2021

Fix GitLab OAuth token refresh 200ok-ch/organice#740

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bug: prevent concurrent access token refresh attempts #29

Bug: prevent concurrent access token refresh attempts #29

chasecaleb commented Nov 3, 2021

chasecaleb commented Nov 3, 2021

lf94 commented Feb 14, 2022

Bug: prevent concurrent access token refresh attempts #29

Bug: prevent concurrent access token refresh attempts #29

Comments

chasecaleb commented Nov 3, 2021

chasecaleb commented Nov 3, 2021

lf94 commented Feb 14, 2022