Search code examples
refreshidentityserver4access-token

Is silent_redirect_uri obsolete when using grant type Code

I have a question about refresh access tokens.

I am using IdentityServer 4.1.2 with the following configuration:

new Client
{
  ClientId = "myid",
  AllowedGrantTypes = GrantTypes.Code,
  RequireClientSecret = false,
  AccessTokenLifetime = 3600,
  RequirePkce = true,
  AllowOfflineAccess = true,
  ...
}

As you can see I am not using the deprecated Implicit flow, but the grant type is set to Code

My SPA client is using oidc-client version 1.11.5 and is configured like this:

var config = {
    ...
    redirect_uri: `https://myspaurl/callback`,
    response_type: 'code',
    scope: 'openid profile offline_access',
    automaticSilentRenew: true,
    silent_redirect_uri: `https://myspaurl/static/silent-renew.html`,
    ...
  };

Note that I am asking for the offline_access scope, so I can get a refresh token.

When I run the application, the access token is being updated just fine every hour. In the Network tab in Chrome developer tool, I can see that the access token is being updated using this request url https://myidentityserver/connect/token. My silent_redirect_uri https://myspaurl/static/silent-renew.html is never requested. So my question is if the silent_redirect_uri is obsolete when using grant type Code instead of the old Implicit flow?

Solution

  • If the oidc client can get a refresh token it will use that rather than trying to use the silent redirect URI. Consider next these actions:

    • User reloads a page
    • User opens new browser tab / window

    If the RT is not available during a reload then oidc client will fall back to the silent redirect URI behaviour.

    The only way multi tab browsing can work with refresh tokens is to store the RT (a long lived credential) in local storage. You will then have a reliable app.

    Note that using silent redirect URIs on a hidden or frame does not work in the Safari browser since it will drop third party cookies. Other browsers are expected to follow suit. So renewing tokens on a hidden iframe is indeed deprecated in 2021.

    SECURITY

    The problems are not over though:

    • Storing a RT in local storage is definitely not recommended for medium or high security apps - even if rotating refresh tokens are used

    The 2021 recommendation is to instead store the refresh token in a strongly encrypted HTTP Only SameSite=strict cookie. This is known as the Back End for Front End pattern.

    It is tricky but worth being aware of - perhaps as a future objective. Note also that oidc client is now an archived project.