Re-authenticate instead of going blank when the session is lost#3042
Open
dvdstelt wants to merge 1 commit into
Open
Re-authenticate instead of going blank when the session is lost#3042dvdstelt wants to merge 1 commit into
dvdstelt wants to merge 1 commit into
Conversation
App.vue renders the whole app behind shouldShowApp (authEnabled, isAuthenticated, isAnonymousRoute). When the access token expired and silent renewal failed, isAuthenticated flipped to false and the app rendered nothing, requiring a manual browser refresh to recover. Watch for the session being lost while running and re-trigger authentication: with a live identity-provider session this is a silent redirect round-trip; otherwise the user lands on the provider's login page. Skipped on anonymous routes and while a sign-in is already in progress.
dvdstelt
force-pushed
the
fix-auth-blank-on-token-expiry
branch
from
5bdb083 to
a9b62fe
Compare
PhilBastian
reviewed
Jun 26, 2026
| // renewal failed), re-trigger authentication instead of rendering a blank page. With a live | ||
| // identity-provider session this is a silent redirect round-trip; otherwise the user lands on | ||
| // the provider's login page. Without this the app renders nothing until a manual refresh. | ||
| watch([authEnabled, isAuthenticated, isAnonymousRoute], ([enabled, authenticated, anonymous]) => { |
Contributor
There was a problem hiding this comment.
I'm thinking that all this logic, including the isAnonymousRoute, isn't actually the responsibility of the App page and should instead be in the authStore. Pulling in @warwickschroeder for comment.
Contributor
There was a problem hiding this comment.
Agreed, it probably shouldn't live here. I mean it'll work but its better handled in the auth domain. We are already handling OIDC events in useAuth.ts. These could be used to pickup on the "token exired" or "silent renewal error" events and then reauthenticate. This way we arent "watching" a proxy state, but rather reacting to the actual OIDC event.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When OIDC auth is enabled and the access token expires (and silent renewal does
not succeed),
App.vuerenders nothing and the user has to manually refresh thebrowser to recover.
App.vuegates the entire app behindshouldShowApp(authEnabled,isAuthenticated,isAnonymousRoute). On token expiry,oidc-client-tsclearsthe token,
isAuthenticatedflips tofalse, and thatv-ifrenders nothing.Nothing re-triggers authentication, so the page stays blank until a refresh
re-runs the auth flow on mount.
Fix
Watch for the session being lost while the app is running and re-trigger
authentication via the existing
useAuth().authenticate()flow:the user keeps working.
already in progress, to avoid loops.
Tests
App.spec.ts: re-authenticates on token loss; does not while alreadyauthenticating; does not on an anonymous route.
Notes
masterdirectly.identity-provider configuration concern (the provider must grant
offline_accessso a refresh token is issued); ServicePulse already requests it.