Search code examples
authenticationauthorizationopeniddictimplicit-flow

Refresh token using Implicit flow. OpenIdDict

According to documentation, while Implicit Flow - we can`t get refresh_token.

Microsoft, suggest us to use prompt=none and cookie authorization to update token when it was expired:

The implicit grant does not provide refresh tokens. Both id_tokens and access_tokens will expire after a short period of time, so your app must be prepared to refresh these tokens periodically. To refresh either type of token, you can perform the same hidden iframe request from above using the prompt=none parameter to control the identity platform's behavior. If you want to receive a new id_token, be sure to use id_token in the response_type and scope=openid, as well as a nonce parameter.

It means that when my FrontEnd application recived 401 error from resource server because of token has expired, it must go to the /authorize endpoint in background and specify redirect uri that will be used to redirect application back when token will be reissued.

When we use OpenIdDict, we must specify in database allowed redirect uri, this usi must be constant, for example "https://www.MyApp.com/".

It is ok when we login user first time. But how to be in the following case:

  1. User clicked on the link, for example "https://www.MyApp.com/file/{fileId}/download" (the uri has {fileId} - that is variable part).
  2. Resource server returned 401 error because of token has been expired.
  3. FrontEnt app, redirect user in background mode to the identity using prompt=none : (https://www.myAuthServer.com/connect/authorize?client_id=console&response_type=id_token%20token&scope=openid&**redirect_uri=https://www.MyApp.com/file/{fileId}/download**&nonce=qwertyui&**prompt=none**) So it use:
  • prompt = none
  • RedirectUri = "https://www.MyApp.com/file/{fileId}/download"
  1. I expect that my authorization server will reissue token and redirect user to the specified page with a new token, but instead of that, I will revive an error (invalid_request) because in database uri "https://www.MyApp.com/file{fileId}/download" is not present amount allowed redirect uri.

error:invalid_request
error_description:The specified 'redirect_uri' is not valid for this client application. error_uri:https://documentation.openiddict.com/errors/ID2043

Can you advice me any correct way haw to solve this problem ?

Solution

  • Microsoft, suggest us to use prompt=none and cookie authorization to update token when it was expired.

    Sadly, this approach no longer works with modern browsers since most of them ban third-party cookies by default, which prevents the authentication cookie from being sent by the iframe when using silent authentication requests (i.e prompt=none requests).

    My recommendation is to use the code flow and refresh tokens. OpenIddict implements token refresh rotation by default to reduce security risks.