Skip to content

Fix silent auth redirect with expired client credentials #4181

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
timgent wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix silent auth redirect with expired client credentials #4181

timgent wants to merge 1 commit into from

Conversation

@timgent
Copy link

@timgent timgent commented Jan 25, 2026
edited
Loading

This PR fixes bug #4177.

Summary

When handleIncomingRedirect({ restorePreviousSession: true }) is called with stored session data containing an expired client_id, the library now validates client expiration before attempting silent authentication. This prevents the redirect to the OAuth provider with invalid credentials, which previously caused users to be stuck on an error page.

Changes

  • Add clientExpiresAt field to ISessionInternalInfo so client expiration data flows through the existing SessionInfoManager.get()validateCurrentSession()silentlyAuthenticate() path
  • Read expiresAt from storage in the browser SessionInfoManager.get() and return it as clientExpiresAt
  • Check expiration inline in silentlyAuthenticate() using the session info fields, rather than a separate method
  • Clear stored session when client is expired to prevent retry loops

Design

Rather than adding a separate isClientExpired() method and threading storageUtility through the ClientAuthentication constructor, the expiration timestamp is surfaced as part of the session info that already gets retrieved during silent auth. This keeps the change minimal and avoids extra constructor parameters, mock plumbing, and redundant storage reads.

Checklist

  • I've added a unit test to test for potential regressions of this bug.
  • The changelog has been updated, if applicable.
  • Commits in this PR are minimal and have descriptive commit messages.

🤖 Generated with Claude Code

@timgent timgent force-pushed the fix/expired-client-silent-auth branch from d02584a to ecac935 Compare January 29, 2026 22:27
@timgent timgent marked this pull request as ready for review January 29, 2026 22:30
@timgent timgent requested a review from a team as a code owner January 29, 2026 22:30
@NSeydoux
Copy link
Contributor

NSeydoux commented Jan 30, 2026

Thanks for opening this PR! I'll have a look as soon as possible :)

@timgent timgent force-pushed the fix/expired-client-silent-auth branch from ecac935 to b3b7d29 Compare January 30, 2026 21:13
@timgent @claude
Fix silent auth redirect with expired client credentials
091227c 
When client credentials expire, the silent authentication flow now
correctly detects the expiration and gracefully falls back to a
logged-out state instead of redirecting to the OAuth provider and
showing an error page. Adds a clientExpiresAt field to
ISessionInternalInfo, reads it from storage in SessionInfoManager,
and updates the CHANGELOG.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@timgent timgent force-pushed the fix/expired-client-silent-auth branch from b3b7d29 to 091227c Compare February 1, 2026 10:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timgent @NSeydoux