oidc-client-ts icon indicating copy to clipboard operation
oidc-client-ts copied to clipboard
verified publisher icon authts

Automatic silent renew doesn't use refresh token if access token is already expired

Open Yurickh opened this issue 8 months ago • 1 comments

Related to #644, but not exactly the same, so decided to open this separately.

Reproducing

In a setup where:

  • You save user state in localStorage
  • You use refresh tokens
  • automaticSilentRenew is set to true

If you open a page with an expired token, but a valid refresh token, oidc-client-ts doesn't use the refresh token to renew. Instead, it just gives up renewing completely.

Possible root causes

Upon digging a bit, I've found out that in AccessTokenEvents, we drop completely the timer when the user is expired, which is decided based on access token, instead of refresh token.

Yurickh avatar Jun 03 '25 16:06 Yurickh

Also experiencing this. Since I'm using tokens with 5-minute expiration (Keycloak default), it just takes closing your tab for >5 minutes to hit it.

The linked issue mentions that Keycloak's refresh_expires_in isn't a standard, which I can understand. Honestly, I assumed the package would optimistically send a refresh request, and just cut the timer if that request fails. Is that naive?

mateenkasim avatar Oct 10 '25 18:10 mateenkasim