This document describes the automatic token refresh functionality implemented in the AtlanticWave-SDX multi-provider authentication system.
The token refresh system automatically monitors and refreshes authentication tokens before they expire, ensuring seamless user experience without service interruptions.
- Checks token expiry status every minute
- Monitors all active tokens (CILogon, ORCID, FABRIC API)
- Tracks refresh token availability and provider capabilities
- Attempts refresh 5 minutes before token expiry
- Uses provider-specific refresh mechanisms
- Maintains existing tokens if refresh tokens are unavailable
- Real-time token status display with countdown timers
- Refresh progress indicators
- Color-coded status badges (valid, warning, expired)
- Dismissible expiry notifications
- Graceful fallback when refresh tokens are unavailable
- User notifications for both successful and failed refreshes
- Manual refresh buttons as backup
- ✅ Refresh Token Support: Yes (when provided by CILogon)
- 🔄 Auto-Refresh: Supported when refresh_token is available
- ⏰ Typical Token Lifetime: Variable (often 300000000 seconds ≈ 9.5 years)
- ✅ Refresh Token Support: Yes (OAuth2 standard)
- 🔄 Auto-Refresh: Supported when refresh_token is available
- ⏰ Typical Token Lifetime: 3600 seconds (1 hour)
- ✅ Refresh Token Support: Yes (native API support)
- 🔄 Auto-Refresh: Always supported
- ⏰ Typical Token Lifetime: 3600 seconds (1 hour)
const { refreshStatus, manualRefresh, isTokenNearExpiry } = useTokenRefresh({
refreshBeforeExpiryMinutes: 5, // Start refresh 5 minutes before expiry
checkIntervalMinutes: 1, // Check every minute
showNotifications: true // Show success/error notifications
});New utility functions added to TokenStorage:
// Check time until token expiry (in seconds)
TokenStorage.getTimeUntilExpiry(token)
// Check if token expires within warning period
TokenStorage.isTokenNearExpiry(token, warningMinutes)
// Check if token can be refreshed
TokenStorage.canRefreshToken(token)
// Format remaining time for display
TokenStorage.formatTimeUntilExpiry(token)- Comprehensive token status dashboard
- Manual refresh buttons
- Real-time countdown timers
- Provider-specific status indicators
- Non-intrusive expiry warnings
- Dismissible notifications
- Quick refresh actions
- Positioned notifications
- Warning Period: 15 minutes (yellow warning state)
- Refresh Trigger: 5 minutes before expiry
- Check Interval: Every 60 seconds
- Notification Timeout: 10 minutes
- 🟢 Valid: Token has more than 15 minutes remaining
- 🟡 Warning: Token expires within 15 minutes
- 🔄 Refreshing: Auto-refresh in progress
- 🔴 Expired: Token has expired
- ❌ Missing: No token available
- User authenticates and obtains tokens
- System monitors token expiry in background
- 5 minutes before expiry, system automatically refreshes
- User sees brief success notification
- Token status updates with new expiry time
- System detects token expiring soon
- No refresh token available for provider
- User sees warning notification with manual re-auth prompt
- Token status shows "manual auth required"
- System attempts automatic refresh
- Refresh fails (network, server error, etc.)
- User sees error notification with manual refresh option
- Token status shows error state with retry button
- Refresh tokens stored in localStorage (same as access tokens)
- No refresh tokens exposed in URLs or logs
- Failed refresh attempts logged for debugging
- Automatic cleanup of expired refresh tokens
- HTTPS required for all refresh operations
The system provides detailed logging for debugging:
console.log(`Token for ${provider} expires in ${minutes} minutes, attempting refresh...`);
console.log(`Successfully refreshed ${provider} token`);
console.error(`Failed to refresh ${provider} token:`, error);Refresh status is persisted in KV store:
{
isRefreshing: boolean,
lastRefresh: { cilogon: timestamp, orcid: timestamp, fabric: timestamp },
refreshErrors: { cilogon: error_message, orcid: error_message, fabric: error_message }
}- Configurable refresh timing per provider
- Retry logic with exponential backoff
- Refresh token rotation support
- Advanced refresh scheduling (off-hours, usage patterns)
- Refresh success metrics and analytics
- Background refresh worker for inactive tabs
-
Normal Refresh Flow
- Authenticate with any provider
- Manually adjust token expiry to trigger refresh
- Verify automatic refresh occurs
- Check UI updates and notifications
-
No Refresh Token
- Create token without refresh_token
- Wait for expiry warning
- Verify warning notification appears
- Test manual re-authentication flow
-
Refresh Failure
- Mock refresh endpoint to return error
- Trigger automatic refresh
- Verify error handling and user notification
- Test manual refresh button
-
Multiple Providers
- Authenticate with all three providers
- Verify independent refresh handling
- Test concurrent refresh scenarios
-
Tokens not refreshing automatically
- Check browser console for errors
- Verify refresh_token exists in localStorage
- Confirm provider supports refresh tokens
-
Notifications not showing
- Check
showNotificationsconfiguration - Verify toast system is working
- Check notification permissions
- Check
-
Manual refresh fails
- Check network connectivity
- Verify provider refresh endpoints
- Check refresh token validity
Enable detailed logging by checking browser DevTools console for:
- Token expiry calculations
- Refresh attempt logs
- Provider-specific error messages
- Status updates and state changes