Shift to first try to reconnect using stored refresh tokens? #33
Description
The existing Solid-OIDC library used doesn't store refresh tokens. Reconnecting therefore requires granting consent again, and I disable "reconnect on startup" in Umai to avoid being interrupted by the consent screen.
There's a new Solid-OIDC library that does store refresh tokens. It would be great if Umai could shift to using this new library. Ideally Umai would automatically reconnect if a refresh token flow is successful, and stay disconnected (with an error icon) if a new login is required to avoid interrupting the user.
The new Solid-OIDC library's approach is described here:
https://github.com/uvdsl/solid-oidc-client-browser?tab=readme-ov-file#security-considerations
In short, the reason it's ok to store the refresh token is that the refresh token can only be used by the client that proves ownership of the registered private key - which is stored in a non-extractable keypair in an indexedDB available only to the origin. An attack that can execute javascript on the client can still sign new requests, but they could also run a new silent authentication process, so this is no worse than the existing Solid-OIDC library.
Edit: Default lifetime of refresh tokens with CSS is 24h, so unless Umai also implemented a web worker to get a new refresh token behind the scenes, there would be no difference for a user who uses the app less than once a day.
https://github.com/CommunitySolidServer/CommunitySolidServer/blob/main/config/identity/handler/base/provider-factory.json