Flutter web: Should refresh work for implicitFlow?
Closed this issue · 9 comments
Description
I get a token which is valid 1 hour. I set the refreshBefore value to 59 minutes, but I cant see anything refreshing. Not sure if I do something wrong.
Steps To Reproduce
Configure OidcUserManager:
oidcUserManager.lazy(
discoveryDocumentUri: OidcUtils.getOpenIdConfigWellKnownUri(
Uri.parse(
'my discover url',
),
// this is a public client,
// so we use [OidcClientAuthentication.none] constructor.
clientCredentials: const OidcClientAuthentication.none(
clientId: 'id',
),
store: OidcDefaultStore(),
settings: OidcUserManagerSettings(
frontChannelLogoutUri: Uri(path: 'index.html'),
uiLocales: ['en'],
refreshBefore: (token) {
return const Duration(minutes: 59);
},
// scopes supported by the provider and needed by the client.
scope: [
//...
],
postLogoutRedirectUri:
Uri.parse('http://localhost:8080/redirect.html'),
redirectUri: Uri.parse('http://localhost:8080/redirect.html'),
),
);call implicit flow
// ignore: deprecated_member_use
final result = await _oidcUserManager.loginImplicitFlow(
responseType:
OidcConstants_AuthorizationEndpoint_ResponseType.idToken_Token,
originalUri: Uri.parse('/'),
//store any arbitrary data, here we store the authorization
//start time.
extraStateData: DateTime.now().toIso8601String(),
options: const OidcPlatformSpecificOptions(
web: OidcPlatformSpecificOptions_Web(
navigationMode:
OidcPlatformSpecificOptions_Web_NavigationMode.samePage,
),
),
);Expected Behavior
I would expect that either the userManager.userChanges().listen((event) event fires, or that I see some sort of refresh in the chrome debugger, but I dont see any.
Additional Context
Note im exclusively on web
assert(kIsWeb == true) // always true
Since loginImplicitFlow is deprecated, Im thinking maybe its not supported?
Otherwise, great package!
Daniel
implicit flow doesn't return refresh token for security reasons, that's why there is prompt: none, so that you can re-authenticate without a refresh token
Hi,
thanks for your answer!
Just to be clear, do you mean to just re-authenticate like this:
final result = await _oidcUserManager.loginImplicitFlow(
// ...
promptOverride:['none'],
options: OidcPlatformSpecificOptions(
web: OidcPlatformSpecificOptions_Web(
navigationMode: OidcPlatformSpecificOptions_Web_NavigationMode.hiddenIFrame,
),
),
);yes, exactly
thank you!
Hey sorry I have to bother you again.
I noticed that if I call loginImplicitFlow with promptOverride:['none'], etc. there is a state object saved to localStorage each time, which eventually leads to an bad request - "header too long" error.
Note I do not set any state as custom data when calling the refresh request. Im also not sure where this is saved, I tried to not redirecting to the redirct.html file, because I was expecting these states in localStorage are saved there.
there is always a state object created with each auth request, it's definitely not related to the error you are seeing, since we only send state id.
where is the error exactly raised from? what openid provider do you use?
Hey,
I find out the long request header comes from session cookies that are saved on each "silent" relogin. Have to check bac k with my open id provider (its a azure b2c with a federated proprietary system) first I guess.
Thanks a lot as always.
I see, that's definitely a problem but since the cookies are provided by the idp , we have no control over them
ideally they should remove old cookies before adding new ones
Closing for inactivity