[Question]: Option to control/bypass session storage mechanism

[prakashsatyani]

What Version of the library are we using?
15

---

Question
After upgrading from angular-auth-oidc-client library for Angular 13 to the version for Angular 15, we noticed a change in behavior regarding token storage and the handling of the token.oauth API call.

Previously (Angular 13 version), the token.oauth API call was made on every page reload, ensuring that the latest authentication token was retrieved. However, in the Angular 15 version of the library, the token is now being stored in session storage. Upon page reload, if the token is present in session storage, the token.oauth API call is not triggered.

This new behavior is causing an issue in our use case, as we rely on always making the token.oauth API call to fetch an updated token and ensure proper authentication. This also presents a security concern for some of our partners.

Request
Is there any way to:

• Comment out or bypass this session storage mechanism?
• Provide a configuration option to enable or disable this behavior based on the use case?

Having control over this behavior would be helpful, as different use cases may require either always making the token.oauth API call or relying on session storage for performance optimization.

We appreciate your support and look forward to any suggestions or workarounds.

[timdeschryver]

Do you find the information you need in the docs?
https://angular-auth-oidc-client.com/docs/documentation/custom-storage

[prakashsatyani]

We have already looked at this document and unfortunately that’s not something we can use due to security reasons.

In v13, OIDC token call happened after each reload regardless of the session storage contents. However, this behaviour has changed in v15 which is creating a security concern at our end.

We wish to circumvent this new validation from v15