-
-
Notifications
You must be signed in to change notification settings - Fork 764
Question: Refreshing access tokens when using implicit flow #719
Comments
depends on the type of RP - JS cliens can automatically refresh tokens as long as the logon session is valid at the OP (see the JsOAuth sample). Server side applications should use code flow and refresh tokens. |
Thanks for the swift reply! Just wondering about your comment how the js sample automatically may refresh access tokens. How is it doing this - by polling the authorize endpoint? It's this js sample you are talking about, right? We'll have both kind of clients, so better learn all options. :) |
With JS apps one can refresh the access token by issuing a new authorization in hidden iframe when the old one is expired. There is also a extra query argument that is useful for it, add More about prompt=none in the OpenId Authorization Endpoint spec. |
It should be OK to use the stored user consent even if the client is public. The redirect uri checks should make sure that the stored consent of another client cannot be misused to get a consent to a site that is not related to the client. It is also important to support this, since public clients using implicit flow do not have a refresh token to update their access tokens, so only way to keep their login session open is by issuing authorization requests from an iframe with the "prompt=none" parameter (which does not work without the previously stored consent). See the following links for more info and examples on how to renew the access token with SPAs: https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens https://damienbod.com/2017/06/02/ IdentityServer/IdentityServer3#719 (comment)
It should be OK to use the stored user consent even if the client is public. The redirect uri checks should make sure that the stored consent of another client cannot be misused to get a consent to a site that is not related to the client. It is also important to support this, since public clients using implicit flow do not have a refresh token to update their access tokens, so only way to keep their login session open is by issuing authorization requests from an iframe with the "prompt=none" parameter (which does not work without the previously stored consent). See the following links for more info and examples on how to renew the access token with SPAs: https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens https://damienbod.com/2017/06/02/ IdentityServer/IdentityServer3#719 (comment)
When using Implicit Flow, it should be OK to use the stored user consent even if the client is public. The redirect uri checks should make sure that the stored consent of another client cannot be misused to get a consent to a site that is not related to the client. It is also important to support this, since public clients using Implicit Flow do not have a refresh token to update their access tokens, so only way to keep their login session open is by issuing authorization requests from an iframe with the "prompt=none" parameter (which does not work without the previously stored consent). See the following links for more info and examples on how to renew the access token with SPAs: https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens https://damienbod.com/2017/06/02/ IdentityServer/IdentityServer3#719 (comment)
When using Implicit Flow, it should be OK to use the stored user consent even if the client is public. The redirect uri checks should make sure that the stored consent of another client cannot be misused to get a consent to a site that is not related to the client. It is also important to support this, since public clients using Implicit Flow do not have a refresh token to update their access tokens, so only way to keep their login session open is by issuing authorization requests from an iframe with the "prompt=none" parameter (which does not work without the previously stored consent). See the following links for more info and examples on how to renew the access token with SPAs: https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens https://damienbod.com/2017/06/02/ IdentityServer/IdentityServer3#719 (comment)
Hi,
We've set up a RP with a client assigned for implicit flow, and are looking at refreshing access tokens before exipiry. As refresh tokens aren't supported for implicit flow we are unsure of what would be the best way to get new access tokens when the RP is using the implicit flow.
Is there any other way than having to create another Client (in the Client Store) with a flow set to Client Credentials for the same RP and use this?
Or do we have to switch to code flow + refresh tokens?
The text was updated successfully, but these errors were encountered: