Skip to content

Fix silent auth redirect with expired client credentials#4181

Open
timgent wants to merge 1 commit intoinrupt:mainfrom
timgent:fix/expired-client-silent-auth
Open

Fix silent auth redirect with expired client credentials#4181
timgent wants to merge 1 commit intoinrupt:mainfrom
timgent:fix/expired-client-silent-auth

Conversation

@timgent
Copy link

@timgent timgent commented Jan 25, 2026
edited
Loading

This PR fixes bug #4177.

Summary

When handleIncomingRedirect({ restorePreviousSession: true }) is called with stored session data containing an expired client_id, the library now validates client expiration before attempting silent authentication. This prevents the redirect to the OAuth provider with invalid credentials, which previously caused users to be stuck on an error page.

Changes

  • Add clientExpiresAt field to ISessionInternalInfo so client expiration data flows through the existing SessionInfoManager.get()validateCurrentSession()silentlyAuthenticate() path
  • Read expiresAt from storage in the browser SessionInfoManager.get() and return it as clientExpiresAt
  • Check expiration inline in silentlyAuthenticate() using the session info fields, rather than a separate method
  • Clear stored session when client is expired to prevent retry loops

Design

Rather than adding a separate isClientExpired() method and threading storageUtility through the ClientAuthentication constructor, the expiration timestamp is surfaced as part of the session info that already gets retrieved during silent auth. This keeps the change minimal and avoids extra constructor parameters, mock plumbing, and redundant storage reads.

Checklist

  • I've added a unit test to test for potential regressions of this bug.
  • The changelog has been updated, if applicable.
  • Commits in this PR are minimal and have descriptive commit messages.

🤖 Generated with Claude Code

@timgent timgent force-pushed the fix/expired-client-silent-auth branch from d02584a to ecac935 Compare January 29, 2026 22:27
@timgent timgent marked this pull request as ready for review January 29, 2026 22:30
@timgent timgent requested a review from a team as a code owner January 29, 2026 22:30
@NSeydoux
Copy link
Contributor

NSeydoux commented Jan 30, 2026

Thanks for opening this PR! I'll have a look as soon as possible :)

@timgent timgent force-pushed the fix/expired-client-silent-auth branch 2 times, most recently from b3b7d29 to 091227c Compare February 1, 2026 10:47
NSeydoux
NSeydoux reviewed Feb 6, 2026
View reviewed changes
packages/browser/src/Session.ts Outdated
Comment on lines 88 to 98
Copy link
Contributor

@NSeydoux NSeydoux Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this check be moved up to validateCurrentSession?

Copy link
Author

@timgent timgent Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep fair point, will update when I find a few mins 👍

Copy link
Author

@timgent timgent Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update pushed 👍

@timgent timgent force-pushed the fix/expired-client-silent-auth branch 2 times, most recently from ebaee2b to 0930fdd Compare February 7, 2026 16:35
@NSeydoux
Copy link
Contributor

NSeydoux commented Feb 11, 2026

I'm sorry, I didn't realize until now your commits weren't signed. We have a branch protection rule requiring signed commit. I can sign the commit myself, but for proper attribution I'd prefer that you setup signing keys if it's okay with you. Github provides some intructions on how to do this. If it's too much of a bother, I can go ahead with my own signature, but I would prefer you get full credit for your work :)

@timgent timgent force-pushed the fix/expired-client-silent-auth branch from 0930fdd to 92b76c6 Compare February 14, 2026 19:45
@timgent
Copy link
Author

timgent commented Feb 14, 2026
edited
Loading

@NSeydoux sorry for missing that - I've updated the commit so it's now signed. Thanks again for engaging so quickly with the issue and for reviewing this PR!

@timgent @claude
Fix silent auth redirect with expired client credentials
c0207d2 
When client credentials expire, the silent authentication flow now
correctly detects the expiration and gracefully falls back to a
logged-out state instead of redirecting to the OAuth provider and
showing an error page. Adds a clientExpiresAt field to
ISessionInternalInfo, reads it from storage in SessionInfoManager,
and updates the CHANGELOG.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@timgent timgent force-pushed the fix/expired-client-silent-auth branch from 92b76c6 to c0207d2 Compare February 14, 2026 20:40
@NSeydoux NSeydoux mentioned this pull request Feb 16, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NSeydoux NSeydoux NSeydoux left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@timgent @NSeydoux

Comments