Yeah… I won’t lie, understand the JWT workflow alone is complex
Made worse by the fact there are many flows depending on things like client security (web clients are the most insecure). As it’s largely architectural convention implementations vary and that is a weakness of OAuth / OpenID IMHO. I started with the Google docs which are Aweful!!! Auth0 do an excellent job but it’s so complex. I gave up as my communications protocol plumbing days are well over. In this case I really want it to just work without my needing to do anything in my code, and especially not spend so much effort on why it is not working!!
so I don’t think it’s “expiration” in the sense that the JWT self-destructs
Quite.The JWT is just a document and working code has to make “it expire”. And we have several things that need to do somehting to make the expiry mean anything when it gets a chance to run (and they all need to agree)
- Userland Frontend code - Nothing happening here, move along. But there is a refeshtoken call available. I have seen code that checks the expiration on every action and logs a user out or warns them. We should probably do that for good UX
- go widget client side - I guess you know what it does, if anything
- go widget server side / identity - I’ve no idea if there is anyhting happening there
- Functions - only if we send the token and then all checks are probably down to our function code checking “exp” and “aud” etc plus calling to Netlify APIs to check is valid user etc
- Forms - don’t care AFAIKS
- gating - probably checks the exp as well as roles in app_metadata but don’t know if is the same token in use or another separate one. If same then how do they get kept in sync without breakages when everyhting is event driven?
- Netlify API - probably supplies it’s own access tokens with own exp etc. I’ve not looked
then come back to the site on day 2 and be logged in but unable to access certain pages that are role-gated in the
_redirects… which feels… bad.
I’m pretty sure that’s what I see after an hour of non use. I don’t think active use causes any difference - unless that invokes code to check. A log out and control F5 is needed to use the app. In some other broken states a F5 is need to see the gated page at all rather than 404. This is ALL bad UX, if not terrible!
I’d really like Netlify to work on these issues, or at acknowledge them. But there’s been zero engagement with this thread. Probably the size is frightening every one off.
All of that happening at the same time is hurting my head
Me to. I want it to just work. Please Netlify!