When your access_token has expired (because it's short-lived), we are sending a POST request to the refresh-token route, which calls the refreshToken method in the Controller. There we are checking if the httponly cookie is passed with the request, if it is, then we are getting a new access_token and new refresh_token.
Yeah, this is clear, but for some reason, the cookie is not being passed from nuxt in the first place in the await this.$axios.$post('refresh-token'); . Can this be because my front-end and back-end are on different domains? And how to overcome this?
Will your guide work in case my laravel api is site.test and my nuxt is running on localhost:3000 for e.g.? Because I coming to the conclusion that top-level domains must be the same for this to work?
No, your apps can be on different domains, and this would still work. I can't know for sure what went wrong in your case. Maybe the httponly cookie isn't set in the first place, or you're sending the request without the cookie. Until I see the errors or some code, I can't know what's wrong.
I am also encountering this problem. I tested on Postman and I can see the refresh_token into the cookie so I can get it through request()->cookie('cookie')
But on my browser, the refresh_token cookie is not existing. I already added AddQueuedCookiesToResponse in Kernel.php and tried to except the cookie in EncryptCookies but still, refresh_token is not existing.
As the refresh_token is set to be HttpOnly cookie, you can't access it or see it in the browser cookies. The refresh_token is used only to renew the access_token when it expires.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hey,
For some reason I keep getting
message: "Your refresh token is expired."
I suspect that here:
const {token, expiresIn} = await this.$axios.$post('refresh-token');
I am not sending a request with a
refresh_token
cookie attached? Can you please explain how refresh_token should be being passed here?When your
access_token
has expired (because it's short-lived), we are sending aPOST
request to therefresh-token
route, which calls therefreshToken
method in the Controller. There we are checking if thehttponly
cookie is passed with the request, if it is, then we are getting a newaccess_token
and newrefresh_token
.Yeah, this is clear, but for some reason, the cookie is not being passed from nuxt in the first place in the
await this.$axios.$post('refresh-token');
. Can this be because my front-end and back-end are on different domains? And how to overcome this?dump(request()->cookie())
returns an empty array on Cors.php middleware on /api/refresh-token requestWill your guide work in case my laravel api is
site.test
and my nuxt is running onlocalhost:3000
for e.g.? Because I coming to the conclusion that top-level domains must be the same for this to work?No, your apps can be on different domains, and this would still work. I can't know for sure what went wrong in your case. Maybe the
httponly
cookie isn't set in the first place, or you're sending the request without the cookie. Until I see the errors or some code, I can't know what's wrong.Was there a solution to this issue? I'm currently having the exact error when refresh token is called.
Update:
I ran this in the login after grantPasswordToken function:
Log::notice(cookie('refresh_token'));
and here is the response:
refresh_token=deleted; expires=Mon, 28-Oct-2019 22:11:22 GMT; Max-Age=0; path=/; httponly
Hi @stefan
I am also encountering this problem. I tested on Postman and I can see the
refresh_token
into the cookie so I can get it throughrequest()->cookie('cookie')
i.imgur.com/YxbCYde.png
But on my browser, the
refresh_token
cookie is not existing. I already addedAddQueuedCookiesToResponse
in Kernel.php and tried to except the cookie inEncryptCookies
but still,refresh_token
is not existing.i.imgur.com/WsGiaYi.png
Did I miss anything? THanks in advance.
As the
refresh_token
is set to beHttpOnly
cookie, you can't access it or see it in the browser cookies. Therefresh_token
is used only to renew theaccess_token
when it expires.