I'm looking for advice on how best to handle token expiration with Angular 2 and Identity Server 4. I'm using the implicit flow with Identity Server 4 which doesn't issue refresh tokens and I don't want to have to redirect the user after the token expires.
Also, why isn't there a refresh token? Why won't hybrid flow work for javascript clients? I do control the ID Server, the app and the api so would this work?
I can recommend the library for managing token for the javascript application: https://github.com/IdentityModel/oidc-client-js
You've correctly used the implicit flow for SPA - here is the description about which flow is right one - https://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/
Oidc-client
provides great feature called automaticSilentRenew
- check the docs. There is the timer on the background and handle an event before token expiration and using hidden iframe for getting new access token.
Example for Angular2
and oidc-client
:
https://github.com/jmurphzyo/Angular2OidcClient
Video with overview for authentication and authorization in JavaScript web applications using IdentityServer - https://vimeo.com/131636653