When your access_token has expired (because it's short-lived), we are sending a POST request to the refresh-token route, which calls the refreshToken method in the Controller. There we are checking if the httponly cookie is passed with the request, if it is, then we are getting a new access_token and new refresh_token.
Yeah, this is clear, but for some reason, the cookie is not being passed from nuxt in the first place in the await this.$axios.$post('refresh-token'); . Can this be because my front-end and back-end are on different domains? And how to overcome this?
Will your guide work in case my laravel api is site.test and my nuxt is running on localhost:3000 for e.g.? Because I coming to the conclusion that top-level domains must be the same for this to work?
No, your apps can be on different domains, and this would still work. I can't know for sure what went wrong in your case. Maybe the httponly cookie isn't set in the first place, or you're sending the request without the cookie. Until I see the errors or some code, I can't know what's wrong.
I am also encountering this problem. I tested on Postman and I can see the refresh_token into the cookie so I can get it through request()->cookie('cookie')
But on my browser, the refresh_token cookie is not existing. I already added AddQueuedCookiesToResponse in Kernel.php and tried to except the cookie in EncryptCookies but still, refresh_token is not existing.
As the refresh_token is set to be HttpOnly cookie, you can't access it or see it in the browser cookies. The refresh_token is used only to renew the access_token when it expires.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey,
For some reason I keep getting
message: "Your refresh token is expired."I suspect that here:
const {token, expiresIn} = await this.$axios.$post('refresh-token');I am not sending a request with a
refresh_tokencookie attached? Can you please explain how refresh_token should be being passed here?When your
access_tokenhas expired (because it's short-lived), we are sending aPOSTrequest to therefresh-tokenroute, which calls therefreshTokenmethod in the Controller. There we are checking if thehttponlycookie is passed with the request, if it is, then we are getting a newaccess_tokenand newrefresh_token.Yeah, this is clear, but for some reason, the cookie is not being passed from nuxt in the first place in the
await this.$axios.$post('refresh-token');. Can this be because my front-end and back-end are on different domains? And how to overcome this?dump(request()->cookie())returns an empty array on Cors.php middleware on /api/refresh-token requestWill your guide work in case my laravel api is
site.testand my nuxt is running onlocalhost:3000for e.g.? Because I coming to the conclusion that top-level domains must be the same for this to work?No, your apps can be on different domains, and this would still work. I can't know for sure what went wrong in your case. Maybe the
httponlycookie isn't set in the first place, or you're sending the request without the cookie. Until I see the errors or some code, I can't know what's wrong.Was there a solution to this issue? I'm currently having the exact error when refresh token is called.
Update:
I ran this in the login after grantPasswordToken function:
Log::notice(cookie('refresh_token'));
and here is the response:
refresh_token=deleted; expires=Mon, 28-Oct-2019 22:11:22 GMT; Max-Age=0; path=/; httponly
Hi @stefan
I am also encountering this problem. I tested on Postman and I can see the
refresh_tokeninto the cookie so I can get it throughrequest()->cookie('cookie')i.imgur.com/YxbCYde.png
But on my browser, the
refresh_tokencookie is not existing. I already addedAddQueuedCookiesToResponsein Kernel.php and tried to except the cookie inEncryptCookiesbut still,refresh_tokenis not existing.i.imgur.com/WsGiaYi.png
Did I miss anything? THanks in advance.
As the
refresh_tokenis set to beHttpOnlycookie, you can't access it or see it in the browser cookies. Therefresh_tokenis used only to renew theaccess_tokenwhen it expires.