Question: iFrame error login_required

[chris-house]

Hi, I have an iFrame auto-logging me in and auto refreshing the tokens, but somehow when I leave the website running overnight, I eventually get Response was error login_required.

Here is my login code. The main login function is startIframeLogin()

[chris-house]

what I think is happening is the cookies on the Identity server are expired even though they are session cookies. To recreate, I can navigate to the identity server and delete the cookies. Then the signinSilent gets the error message. Do I first have to issue a signinRedirect when the page first loads before calling signinSilent?

[chris-house]

Upon further analysis, it appears that IIS app pool is recycling every so often and the oidc server is storing some things in memory.

[brockallen]

Yes, eventually the user will be logged out of the OP. IdSvr uses a fixed 8 hour cookie by default.

[chris-house]

@brockallen , Do I first have to issue a signinRedirect when the page first loads before calling signinSilent? For me signinSilent is not creating the cookies on the identity server.

[brockallen]

To create the cookie on IdSvr you need to send the user via the front channel to login.

[chris-house]

@brockallen, I havent thought this through just yet, but couldn't the iframe call signinRedirect, process the callback. if I then call getUser and they exist, then just call mgr.signinSilentCallback?

these would happen in the signin_renew.html

On the main js file I would becalling mgr.signinSilent

My goal is to make my SPA autologin, and always stay loggedin.

[brockallen]

My goal is to make my SPA autologin, and always stay loggedin.

This is fundamentally limited by the session lifetime at the OP (and then an access token lifetime).

[chris-house]

@brockallen , yes but with the addAccessTokenExpiring and addAccessTokenExpired, we should be able to trigger the login proccess again.

[brockallen]

The expiration of the access token is unrelated to the user's session at the OP. If they're still logged in at the OP, then yes, silent renew should just work. But if their session is ended at the OP, then there's nothing you can do except detect this and force them to go login again.

[chris-house]

@brockallen could I implement the initial login through an iframe?

[chris-house]

To answer my own question: yes I can.

[ErikSchierboom]

@crh225 Could you perhaps show how you solved this? I'm having the same problem.

[vaarenyam]

It would indeed be nice to get to know the resolution to this issue.

[jvitor83]

@brockallen You have said:

"But if their session is ended at the OP, then there's nothing you can do except detect this and force them to go login again"

There is anywhere in the Identity Server where i can configure this time?

@crh225 How did you solve this problem?

[coder8keyboard]

This is not a very good design. If user's session ends while in the middle of completing a long form, they will lose all the information that they filled in. Sounds like a major bug.