Refresh token and silent refresh
mlbiche opened this issue · 3 comments
I have a question regarding to refresh token and silent refresh (maybe because I am pretty new to OAuth2 and OIDC).
The module documentation regarding to silent refresh using Code Flow does not mention any use of this.oauthService.silentRefresh()
but instead the use of this.oauthService.refreshToken()
.
I am getting inspiration from you repo which is a great inspiration for getting starting with OAuth2 and OIDC within Angular and I am wondering why you use this.oauthService.silentRefresh()
(auth.service.ts:109) and if you have seen this note in the module documentation ?
Also, you have not added offline_access
in the scope as advised in the documentation. Is it on purpose ?
Thank you for your answer 😃
Hey! The sample uses the iframe based silent refresh currently. In #40 you can read up about caveats with this approach: basically if you serve your IDS on a different domain than your app, then you'll be in trouble.
Refresh tokens are one way to deal with that. As you said it requires offline_access
in the scope. It should be quite possible to use that with my sample. Things to keep in mind:
- Add
offline_access
to the scope, and you should get a refresh token - Change your
client_id
too if needed, and make sure your ID Server is allowed to give out refresh tokens - Add any additional mitigations in your architecture to prevent abuse of refresh tokens
- (MAYBE - not sure if this is needed) => you might need to change the way my sample does refreshes, but maybe not
For that last point: just give it a go, and get back to us what you found! That might help others.
Hi !
Thanks for your quick answer. Just read your comment and the issue you are mentioning.
Yesterday, I managed to get refresh token working but I receive the refresh token even without adding offline_access
to the scope. I even get an error from my IDS when I add offline_access
to the scope. This situation may be specific to my IDS which is Keycloak.
Also, as the IDS server (id.myapp.com) is on a similar subdomain as the application (app.myapp.com) it may make things easier.
Here is what changes in my code so it may help people dealing with refresh token in Code Flow with Keycloak :
- In initial login sequence, after loading the discovery document, trying loging and having an invalid access token (I am using an
async/await
format, but it is the same):
if (this.oauthService.getRefreshToken()) {
try {
await this.oauthService.refreshToken();
} catch(err) {
// Refresh token has failed
this.isDoneLoading$.next(true);
this.user$.next(null);
}
// Refresh token has succeeded
// Handle successful login
}
// Login failed and refresh token is missing
this.isDoneLoading$.next(true);
this.user$.next(null);
return Promise.resolve();
- In the authentication config, I have turn
useSilentRefresh
option to true.
I am open to any comment, tell me what you think about this solution and what is missing 😉
Thx for sharing! I think we can close this issue for now, right? Feel free to post if you have more to share with others landing here, or link to any fork you might have with such a setup.