This repository has been archived by the owner on Sep 18, 2021. It is now read-only.
Question: Refreshing access tokens when using implicit flow #719
Assignees
Labels
Comments
|
depends on the type of RP - JS cliens can automatically refresh tokens as long as the logon session is valid at the OP (see the JsOAuth sample). Server side applications should use code flow and refresh tokens. |
|
Thanks for the swift reply! Just wondering about your comment how the js sample automatically may refresh access tokens. How is it doing this - by polling the authorize endpoint? It's this js sample you are talking about, right? We'll have both kind of clients, so better learn all options. :) |
|
With JS apps one can refresh the access token by issuing a new authorization in hidden iframe when the old one is expired. There is also a extra query argument that is useful for it, add More about prompt=none in the OpenId Authorization Endpoint spec. |
suutari-ai
added a commit
to suutari-ai/django-oidc-provider
that referenced
this issue
Jun 29, 2017
It should be OK to use the stored user consent even if the client is public. The redirect uri checks should make sure that the stored consent of another client cannot be misused to get a consent to a site that is not related to the client. It is also important to support this, since public clients using implicit flow do not have a refresh token to update their access tokens, so only way to keep their login session open is by issuing authorization requests from an iframe with the "prompt=none" parameter (which does not work without the previously stored consent). See the following links for more info and examples on how to renew the access token with SPAs: https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens https://damienbod.com/2017/06/02/ IdentityServer/IdentityServer3#719 (comment)
suutari-ai
added a commit
to suutari-ai/django-oidc-provider
that referenced
this issue
Jun 29, 2017
It should be OK to use the stored user consent even if the client is public. The redirect uri checks should make sure that the stored consent of another client cannot be misused to get a consent to a site that is not related to the client. It is also important to support this, since public clients using implicit flow do not have a refresh token to update their access tokens, so only way to keep their login session open is by issuing authorization requests from an iframe with the "prompt=none" parameter (which does not work without the previously stored consent). See the following links for more info and examples on how to renew the access token with SPAs: https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens https://damienbod.com/2017/06/02/ IdentityServer/IdentityServer3#719 (comment)
suutari-ai
added a commit
to suutari-ai/django-oidc-provider
that referenced
this issue
Jun 29, 2017
When using Implicit Flow, it should be OK to use the stored user consent even if the client is public. The redirect uri checks should make sure that the stored consent of another client cannot be misused to get a consent to a site that is not related to the client. It is also important to support this, since public clients using Implicit Flow do not have a refresh token to update their access tokens, so only way to keep their login session open is by issuing authorization requests from an iframe with the "prompt=none" parameter (which does not work without the previously stored consent). See the following links for more info and examples on how to renew the access token with SPAs: https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens https://damienbod.com/2017/06/02/ IdentityServer/IdentityServer3#719 (comment)
wojtek-fliposports
pushed a commit
to juanifioren/django-oidc-provider
that referenced
this issue
Jul 7, 2017
When using Implicit Flow, it should be OK to use the stored user consent even if the client is public. The redirect uri checks should make sure that the stored consent of another client cannot be misused to get a consent to a site that is not related to the client. It is also important to support this, since public clients using Implicit Flow do not have a refresh token to update their access tokens, so only way to keep their login session open is by issuing authorization requests from an iframe with the "prompt=none" parameter (which does not work without the previously stored consent). See the following links for more info and examples on how to renew the access token with SPAs: https://auth0.com/docs/api-auth/tutorials/silent-authentication#refresh-expired-tokens https://damienbod.com/2017/06/02/ IdentityServer/IdentityServer3#719 (comment)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Hi,
We've set up a RP with a client assigned for implicit flow, and are looking at refreshing access tokens before exipiry. As refresh tokens aren't supported for implicit flow we are unsure of what would be the best way to get new access tokens when the RP is using the implicit flow.
Is there any other way than having to create another Client (in the Client Store) with a flow set to Client Credentials for the same RP and use this?
Or do we have to switch to code flow + refresh tokens?
The text was updated successfully, but these errors were encountered: