Support Cross tab RT token usage better

[mooreds]

Support Cross tab RT token usage better

Problem

When you use a micro-front end and store your refresh tokens in cookies, refreshing can happen from multiple JS requests, causing issues. In particular, if you have one time use tokens, this scenario can happen:

• JS in component 1 refreshes access token, gets RT A as well
• JS in component 2 refreshes access token, gets RT B and invalidates RT A

Multiply by many possible components, and you get a thundering herd of RT requests.

Solution

The JS client should handle RT management across tabs.

Alternatives/workarounds

Handle the token management in client side code.

Additional context

Related Issues:

• Allow for single use refresh token to be successful during mulitple refresh requuests in short window (reuser internal) fusionauth-issues#2867
• The client libraries should include token management functionality fusionauth-issues#1674

Internal:

• https://inversoft.slack.com/archives/C051S8N8E/p1725981333513369

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[lyleschemmerling]

In your example what are the actual calls being made? I want to make sure that I understand this scenario fully.

A mermaid chart of the http requests would also be acceptable :)

[mooreds]

Assume Component 1 and Component 2 are storing both AT and RT as cookies. The RT is one time use.

sequenceDiagram
    participant Component1 as JS Component 1
    participant Component2 as JS Component 2
    participant API as API
    participant Auth as Auth Server
    
    Component1->>API: Call API Endpoint
    API-->>Component1: API Response
    Component2->>API: Call API Endpoint
    API-->>Component2: API Response
      Note right of Component2: AT expires, components know because of at_exp

    Component1->>Auth: Request New AT/RT
    Auth-->>Component1: New AT/RT (stored in cookie)
    Component2->>Auth: Request New AT/RT
    Auth-->>Component2: New AT/RT (stored in cookie)

Loading

Ideally Component2 would realize that there was already a new AT available in the cookie.

Now imagine this happens for 20 components on a page, and you are requesting 20x the RTs needed.