Why can I still request an access token if refresh token has expired?

Question

I have a question related to refresh tokens. I have configured my Angular Client in Identity Server as follows:

RefreshTokenUsage = TokenUsage.OneTimeOnly,
AccessTokenLifetime = 30,
AbsoluteRefreshTokenLifetime = 3600,
RefreshTokenExpiration = TokenExpiration.Sliding,
SlidingRefreshTokenLifetime = 60,

Also, my Angular client uses the 'silent renew' mechanism (using angular-auth-oidc-client).

If the Angular client is started, after 20 seconds the 'silent renew' kicks in and asks for a new access token, which makes sense because this is about 75% of the access token lifetime of 30 seconds). It gets a new access token and all keeps working.

At a given moment in time, I stop the silent renew. This means that it does not refresh the access token anymore, and indeed, after a while my calls to the web api fail because the access token expired.

Now, minutes later I restart 'silent renew'.

The strange thing is that it succeeds in getting a new access token, but it was my understanding that this should not work anymore because the refresh token should have expired after 60 seconds?

I probably misunderstand how this sliding refresh token mechanism works.. can someone explain why I can still request a new access token with a refresh token that has expired?

Answer 1

We have recently implemented silent renew using oidc library from angular SPA.

And my understanding is that the client side library silent renew mechanism does not use the refresh token strategy instead it calls Authorize request with prompt=none every time it asks for silent renew and gets a new id token and access token.

And also it uses OIDC session management using Iframe to keep track of the session expiry. You can see that cookie in the browser.