Oidc-client-js: automaticSilentRenew is not working...

Do you see any network activity?

No. I cannot see any calls to the oauth2 endpoints.

Enable logging please and see if any of the output helps: https://github.com/IdentityModel/oidc-client-js/wiki

Logging enabled:
Oidc.Log.logger = console;
Oidc.Log.level = Oidc.Log.INFO;

my settings:
silent_redirect_uri: window.location.protocol + "//" + window.location.host + "/silent.html",
automaticSilentRenew: true,
accessTokenExpiringNotificationTime: 100,

Still I cannot see any auto renew messages. when I try to call API after access token expired I get 401 message.

Please see the below logs

UserManager.signinRedirect
oidc-client.js:8170 _signinStart
oidc-client.js:8170 got navigator window handle
oidc-client.js:8170 OidcClient.createSigninRequest
oidc-client.js:8170 MetadataService.getAuthorizationEndpoint
oidc-client.js:8170 MetadataService._getMetadataProperty authorization_endpoint
oidc-client.js:8170 MetadataService.getMetadata
oidc-client.js:8170 Returning metadata from settings
oidc-client.js:8170 metadata recieved
oidc-client.js:8170 Received authorization endpoint https://192.168.56.1:9443/oauth2/authorize
oidc-client.js:8170 SigninState.toStorageString
oidc-client.js:8170 WebStorageStateStore.set 7da64a24e97343a99893251d5b1708c0
oidc-client.js:8170 got signin request
oidc-client.js:8170 RedirectNavigator.navigate
Navigated to https://localhost:44328/login.html?client_id=_H4Jwi60Wzen8nlKbtB0toz4zAMa&c…min_spa_PRODUCTION&isSaaSApp=false&authenticators=BasicAuthenticator:LOCAL
:44328/login.html?client_id=_H4Jwi60Wzen8nlKbtB0toz4zAMa&commonAuthCallerPa…_spa_PRODUCTION&isSaaSApp=false&authenticators=BasicAuthenticator:LOCAL:92 QueryParamsLog: client_id,commonAuthCallerPath,forceAuth,passiveAuth,redirect_uri,response_type,scope,state,tenantDomain,sessionDataKey,relyingParty,type,sp,isSaaSApp,authenticators
Navigated to https://localhost:44328/consent.html?loggedInUser=ACCOUNTHOLDERS%2Forende%4…cess%2520api_read%2520api_write%26state%3D7da64a24e97343a99893251d5b1708c0
:44328/consent.html?loggedInUser=ACCOUNTHOLDERS%2Forende%40payoneer.com%40c…s%2520api_read%2520api_write%26state%3D7da64a24e97343a99893251d5b1708c0:72 QueryParamsLog: loggedInUser,application,scope,sessionDataKeyConsent,spQueryParams
Navigated to https://localhost:44327/callback.html
callback.html:28 ["", "": undefined]
oidc-client.js:8170 UserManager.signinRedirectCallback
oidc-client.js:8170 RedirectNavigator.url
oidc-client.js:8170 _signinEnd
oidc-client.js:8170 OidcClient.processSigninResponse
oidc-client.js:8170 UrlUtility.parseUrlFragment
oidc-client.js:8170 WebStorageStateStore.remove 7da64a24e97343a99893251d5b1708c0
oidc-client.js:8170 SigninState.fromStorageString
oidc-client.js:8170 Received state from storage; validating response
oidc-client.js:8170 ResponseValidator.validateSigninResponse
oidc-client.js:8170 ResponseValidator._processSigninParams
oidc-client.js:8170 state validated
oidc-client.js:8170 state processed
oidc-client.js:8170 ResponseValidator._validateTokens
oidc-client.js:8170 No id_token to validate
oidc-client.js:8170 tokens validated
oidc-client.js:8170 ResponseValidator._processClaims
oidc-client.js:8170 response is not OIDC, not processing claims
oidc-client.js:8170 claims processed
oidc-client.js:8170 got signin response
oidc-client.js:8170 _storeUser storing user
oidc-client.js:8170 User.toStorageString
oidc-client.js:8170 WebStorageStateStore.set user:https://192.168.56.1:9443/oauth2/:_H4Jwi60Wzen8nlKbtB0toz4zAMa
oidc-client.js:8170 user stored
oidc-client.js:8170 UserManagerEvents.load
oidc-client.js:8170 AccessTokenEvents.load
oidc-client.js:8170 canceling existing access token timers
oidc-client.js:8170 access token present, remaining duration: 300
oidc-client.js:8170 registering expiring timer in: 240
oidc-client.js:8170 registering expired timer in: 301
oidc-client.js:8170 Raising event: User loaded
callback.html:34 User {id_token: undefined, session_state: undefined, access_token: "86b8e1cda25ed300b5565c850312abc7", token_type: "Bearer", scope: undefined…}
Navigated to https://localhost:44327/index.html
oidc-client.js:8170 automaticSilentRenew is configured, setting up silent renew
oidc-client.js:8170 UserManager.getUser
oidc-client.js:8170 _loadUser
oidc-client.js:8170 WebStorageStateStore.get user:https://192.168.56.1:9443/oauth2/:_H4Jwi60Wzen8nlKbtB0toz4zAMa
oidc-client.js:8170 user storageString loaded
oidc-client.js:8170 User.fromStorageString
oidc-client.js:8170 user loaded
192.168.56.1:8243/myapi:1 GET https://192.168.56.1:8243/myapi 401 (Unauthorized)

So you wait the 240 seconds and you don't see any notifications about renewing? But you then wait 301 seconds and try to use the token and get the 401? Have you looked in the IdentityServer logs for any info as to why the token is not validating?

Token is valid for 300 sec. In that time its validated correctly and I can
call the api. After it expired I get the 401 error which is fine. But
why the javascript doesn't try to renew the token? As I understand I should
see call for the authorization endpoint 100 sec before token expires, but
nothing in the chrome dev tools. Its like the auto renew doesn't workiy...
What am I doing wrong?

‏בתאריך יום חמישי, 16 ביוני 2016, Brock Allen [email protected]
כתב:

So you wait the 240 seconds and you don't see any notifications about
renewing? But you then wait 301 seconds and try to use the token and get
the 401? Have you looked in the IdentityServer logs for any info as to why
the token is not validating?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
https://github.com/IdentityModel/oidc-client-js/issues/53#issuecomment-226470342,
or mute the thread
https://github.com/notifications/unsubscribe/AE6-XC5Bf1AicdWIDhUT_BU1pmPv4cdNks5qMUEKgaJpZM4Iv4B3
.

Regards,

Oren Deri

I just tested it with this client: https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients/JavaScriptImplicitClient and I changed the token lifetime to 70 seconds and t's auto renewing properly.

Any update?

I also have the issue of automaticSilentRenew not working. It is only when I do not call mgr.signinSilent() at the beginning of the app.

For instance:
1: User is not signed into app so signinSilent() get the user. (this will set the automaticSilentRenew to work)
2: refresh page, user is already loaded so I do not user signinSilent() (automaticSilentRenew does nto work)
3: signinRedirect also causes automaticSilentRenew to stop working.

Also, I don't think that the automaticSilentRenew is the problem. It seems that the event accessTokenExpiring is not firing, therefore automaticSilentRenew is not being executed.

Same issue here. Only by calling mgr.signinSilent() will automaticSilentRenew work. Also, when should signinSilent() be called?

Will investigate next week

-Brock

On Aug 5, 2016, at 9:12 PM, jelard [email protected] wrote:

Same issue here. Only by calling mgr.signinSilent() will automaticSilentRenew work. Also, when should signinSilent() be called.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

Well, for the life of me I can't reproduce this. The automatic silent renew will only work if you have actively loaded a user from the user manager. IOW, if all you do is instantiate and configure the user manager in a web page, then it won't automatically load the user and start the timer to check for automatic renewal. Perhaps this is why you only see it work if you call signinSilent? If you call loadUser instead, does it work?

So this got me thinking some more about this: If what I suspect is in fact the problem, and the user manager has the automatic silent renew enabled, should it automatically load the user to initiate the timer (so your app code doesn't have to)? I'm thinking that this can be done in an unobtrusive way...

I cloned the oidc-client repo and did some testing and automatic silent renew works if I click start signin main window button then end signin window. If I click signin main window with different call back page it does not work even if I call getUser() in the signinRedirectCallBack. However, if I pass the same settings in the Oidc.UserManager in the user-manager-sample-callback.html it started working.

Ok, so I think what you just described matches what I said above: You need to somehow have the user loaded thru the user manager to have the automatic silent renew initialize.

So back to my other question: if automatic silent renew is configured, I guess I should enhance the user manager to internally load the user to initialize the timer. Agreed?

Yes.

I've pushed 1.1.0-beta.4 to npm. Now the user manager should automatically load the user and initialize the expiring timers so automatic renew should work without intervention.

Please test and let me know if it's working.

Just tested it and its working. Thanks!

Good to hear. thanks.

Hi @brockallen - whilst on topic, does the silent renew functionality work with Identity Server? I'm pretty sure I had it working this morning, but it seems to have stopped working due to the X-Frame-Options being set to 'SAMEORIGIN' in the response from Identity Server:

Refused to display 'https://identity.....local/connect/authorize?client_id=portal....0c9408a9d26eb5fbc249718&nonce=ac1eedb1148f4023a8fde79fc2b29c81&prompt=none' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.

I'm not sure how this has happened!

Any suggestions would be welcomed. Thanks.

Found out what the problem was with my above query...

If the silent renew URL is not listed in the RedirectUris property of the Client in Identity Server, then the "The client application is not known or is not authorized." error page is returned by Identity Server for rendering in the hidden iframe. This response has the 'X-Frame-Options' header set to 'SAMEORIGIN', and so the browser refuses to show the iframe.