FAQ | This is a LIVE service | Changelog

Skip to content

Improve token timeout behaviour

Dr Rich Wareham requested to merge github/fork/rjw57/issue-98-token-timeout into master

This PR addresses #98 (closed) and has the following dependent PRs:

  • uisautomation/hydra-consent-app#5
  • uisautomation/experimental-mock-consent-app#2
  • uisautomation/iar-deploy#31

It is quite a large PR and is best reviewed commit-wise since most commits have somewhat involved comments.

The main body of the PR is composed of two commits, 6c6e3af and 5dc698e.

6c6e3af replaces our existing use of redux-implicit-oauth2 with our own version of implicit OAuth2 flow (implemented in 86ecd15b) which distinguishes between normal and "promptless" logins. The latter logins do not require a popup window but may fail.

5dc698e makes use of the new OAuth2 login implemented by 6c6e3af in order to provide a nicer UX on token timeout. See that commit's comment for more information. The commit itself includes notes on how it may be tested.

Since token timeout behaviour rarely appears in development, 87deb90a takes the opportunity to configure the access token lifetime in development to be 5 minutes. This is done in the hope that such a short lifetime will quickly surface token timeout problems.

78b2b6e4 fixes a small visual bug with snackbars discovered during the implementation of 5dc698e.

Some aspects of this PR are a little under-tested. 5dc698e and 86ecd15b are particular examples of this. The problem is that both essentially rely on the behaviour of the browser. The former performs tricks with timeouts and the latter performs tricks with the window object. They would be better tested with a full browser environment but our test suite does not currently provide that. In lieu of automated testing, 5dc698e contains a description of a procedure which can be used to test both token timeout failure modes.

Closes #98 (closed)

Merge request reports

Loading