OIDC client requests access token refresh every second though it can be ommited

[mr-nothing]

Issue and Steps to Reproduce

• oidc-client library configured with refresh_time_before_tokens_expiration_in_second to 30 and token_renew_mode to access_token_invalid.
• keycloak configured with client idle session time to 5 minutes and client max session time to 5 minutes.
• Wait until 30 seconds remain before access token expire

Versions

oidc-client - 7.22.4

Expected

When session is going to expire in 30 seconds I expect client not to do any requests to refresh token despite the fact that we have 30 or less seconds remain before access token expire since every new token's expiration time will be constricted by session max time anyways.

Actual

When session is going to expire in 30 seconds oidc client make requests to refresh access token approx every second which is frustrating in case of short living keycloak sessions (30 to 60 minutes for example).
I saw this section in FAQ but it states that it is kinda ok and I think this behaviour can be fixed pretty easy just by not refreshing token on a periodic basis and to refresh it only in case something bad happened (e.g. 401, 403 or some other scenarios) if it is required at all.

Thanks in advance for clarification and any info!

[guillaume-chervet]

hi @mr-nothing thank you for your issue,

Do you have a sample of your configuration? Are you using service worker ?

Do you have a sample of your tokens reuqest response ? main logic is here :

oidc-client/packages/oidc-client/src/parseTokens.ts

Line 90 in 4fa4992

const accessTokenExpiresAt = (accessTokenPayload && accessTokenPayload.exp) ? accessTokenPayload.exp : tokens.issuedAt + expireIn;

You can play with these parameters to find your best configuration :

configuration: {
    refresh_time_before_tokens_expiration_in_second: Number, // default is 120 seconds
    token_renew_mode: String, // Optional, update tokens based on the selected token(s) lifetime: "access_token_or_id_token_invalid" (default), "access_token_invalid", "id_token_invalid"
    token_automatic_renew_mode: TokenAutomaticRenewMode.AutomaticOnlyWhenFetchExecuted, // Optional, default is TokenAutomaticRenewMode.AutomaticBeforeTokensExpiration
    // TokenAutomaticRenewMode.AutomaticBeforeTokensExpiration: renew tokens automatically before they expire
    // TokenAutomaticRenewMode.AutomaticOnlyWhenFetchExecuted: renew tokens automatically only when fetch is executed
    // It requires you to use fetch given by hook useOidcFetch(fetch) or HOC withOidcFetch(fetch)(Component)
    logout_tokens_to_invalidate: Array<string>, // Optional tokens to invalidate during logout, default: ['access_token', 'refresh_token']
  },

[Ushakovi]

@guillaume-chervet Hi! We don't use Service Worker. The problem is that the last 5 seconds of our session expiration there is a request every second to refresh the token, and then the session expires and the sessionLostComponent is displayed. Is it possible to somehow not make these requests when the session has less to live than refresh_time_before_tokens_expiration_in_second? Our config on attachment.