⚠ This page is served via a proxy. Original site: https://github.com
This service does not collect credentials or authentication data.
Skip to content

Fix silent auth redirect with expired client credentials #4181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
timgent wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix silent auth redirect with expired client credentials #4181

timgent wants to merge 1 commit into from

Conversation

@timgent
Copy link

@timgent timgent commented Jan 25, 2026
edited
Loading

This PR fixes bug #4177.

Summary

When handleIncomingRedirect({ restorePreviousSession: true }) is called with stored session data containing an expired client_id, the library now validates client expiration before attempting silent authentication. This prevents the redirect to the OAuth provider with invalid credentials, which previously caused users to be stuck on an error page.

Changes

  • Add clientExpiresAt field to ISessionInternalInfo so client expiration data flows through the existing SessionInfoManager.get()validateCurrentSession()silentlyAuthenticate() path
  • Read expiresAt from storage in the browser SessionInfoManager.get() and return it as clientExpiresAt
  • Check expiration inline in silentlyAuthenticate() using the session info fields, rather than a separate method
  • Clear stored session when client is expired to prevent retry loops

Design

Rather than adding a separate isClientExpired() method and threading storageUtility through the ClientAuthentication constructor, the expiration timestamp is surfaced as part of the session info that already gets retrieved during silent auth. This keeps the change minimal and avoids extra constructor parameters, mock plumbing, and redundant storage reads.

Checklist

  • I've added a unit test to test for potential regressions of this bug.
  • The changelog has been updated, if applicable.
  • Commits in this PR are minimal and have descriptive commit messages.

🤖 Generated with Claude Code

@timgent timgent force-pushed the fix/expired-client-silent-auth branch from d02584a to ecac935 Compare January 29, 2026 22:27
@timgent timgent marked this pull request as ready for review January 29, 2026 22:30
@timgent timgent requested a review from a team as a code owner January 29, 2026 22:30
@NSeydoux
Copy link
Contributor

NSeydoux commented Jan 30, 2026

Thanks for opening this PR! I'll have a look as soon as possible :)

@timgent timgent force-pushed the fix/expired-client-silent-auth branch 2 times, most recently from b3b7d29 to 091227c Compare February 1, 2026 10:47
NSeydoux
NSeydoux reviewed Feb 6, 2026
View reviewed changes
packages/browser/src/Session.ts Outdated
Comment on lines 88 to 98
// Check if the client registration has expired before attempting silent auth.
// Expiration only applies to confidential clients (those with a secret).
// clientExpiresAt === 0 means the registration never expires.
// clientExpiresAt === undefined with a secret means legacy data — treat as expired.
if (storedSessionInfo.clientAppSecret !== undefined) {
const expiresAt = storedSessionInfo.clientExpiresAt ?? -1;
if (expiresAt !== 0 && Math.floor(Date.now() / 1000) > expiresAt) {
window.localStorage.removeItem(KEY_CURRENT_SESSION);
return false;
}
}
Copy link
Contributor

@NSeydoux NSeydoux Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this check be moved up to validateCurrentSession?

Copy link
Author

@timgent timgent Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep fair point, will update when I find a few mins 👍

Copy link
Author

@timgent timgent Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update pushed 👍

@timgent timgent force-pushed the fix/expired-client-silent-auth branch from b0e4770 to ebaee2b Compare February 7, 2026 16:35
@timgent @claude
Fix silent auth redirect with expired client credentials
0930fdd 
When client credentials expire, the silent authentication flow now
correctly detects the expiration and gracefully falls back to a
logged-out state instead of redirecting to the OAuth provider and
showing an error page. Adds a clientExpiresAt field to
ISessionInternalInfo, reads it from storage in SessionInfoManager,
and updates the CHANGELOG.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@timgent timgent force-pushed the fix/expired-client-silent-auth branch from ebaee2b to 0930fdd Compare February 7, 2026 16:35
@NSeydoux
Copy link
Contributor

NSeydoux commented Feb 11, 2026

I'm sorry, I didn't realize until now your commits weren't signed. We have a branch protection rule requiring signed commit. I can sign the commit myself, but for proper attribution I'd prefer that you setup signing keys if it's okay with you. Github provides some intructions on how to do this. If it's too much of a bother, I can go ahead with my own signature, but I would prefer you get full credit for your work :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NSeydoux NSeydoux NSeydoux left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timgent @NSeydoux