Oidc-client-js: silent_redirect_uri should not be required when using refresh tokens

Created on 13 Feb 2019  路  9Comments  路  Source: IdentityModel/oidc-client-js

When a refresh token is available, the library uses that to do a silentRenew. Relevant code in UserManager.js: 

signinSilent(args = {}) {
        // first determine if we have a refresh token, or need to use iframe
        return this._loadUser().then(user => {
            if (user && user.refresh_token) {
                args.refresh_token = user.refresh_token;
                return this._useRefreshToken(args);
            }
            else {
                args.id_token_hint = args.id_token_hint || (this.settings.includeIdTokenInSilentRenew && user && user.id_token);
                return this._signinSilentIframe(args);
            }
        });
    }

Hence if refresh tokens are available, silent_redirect_uri should not really be needed if I understand it correctly. But the following code in UserSettings.js prevents automaticSilentRenew if no silent_redirect_uri is set: 

get automaticSilentRenew() {
        return !!(this.silent_redirect_uri && this._automaticSilentRenew);
    }

This looks like a bug to me, automaticSilentRenew should be possible without a silent_redirect_uri if refresh tokens are available. Or am I missing something?

bug
Source
picture fnberta

Most helpful comment

FYI: I ran into this bug in 1.7.0 and it disappeared by upgrading to 1.7.1. Thanks @brockallen !

picture vincent-dm on 27 Apr 2019
🎉2

All 9 comments

Yea, good point. I think when I updated for code flow/refresh tokens I didn't revisit that piece of code. Personally I wish I had never added automaticSilentRenew, and in 2.0 I plan to remove it. So yes, it's a bug in this version.

Are you needing this to be fixed?

brockallen picture brockallen on 13 Feb 2019

@brockallen a fix would be nice :)

NunoSav picture NunoSav on 14 Feb 2019

So would a PR :)

brockallen picture brockallen on 14 Feb 2019

Thanks for the response @brockallen. No, doesn't need an urgent fix. I can just specify a silent_redirect_uri even though it's not used. So not a big problem, just something I noticed.

fnberta picture fnberta on 14 Feb 2019

@brockallen Please don't remove automaticSilentRenew. :)

mylifeandcode picture mylifeandcode on 27 Feb 2019

Ok, I think I have fixed this by changing the automaticSilentRenew to not require the silent_redirect_uri

brockallen picture brockallen on 12 Apr 2019

[email protected] released; please have a look and see if it satisfies this issue.

brockallen picture brockallen on 12 Apr 2019

Any chance to test on the beta?

brockallen picture brockallen on 15 Apr 2019

FYI: I ran into this bug in 1.7.0 and it disappeared by upgrading to 1.7.1. Thanks @brockallen !

vincent-dm picture vincent-dm on 27 Apr 2019
🎉2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

m-andrew-albright picture m-andrew-albright  路  5Comments
bialabs picture bialabs  路  3Comments
LEW21 picture LEW21  路  4Comments
saeed-badar picture saeed-badar  路  4Comments
arnaldo-infinite picture arnaldo-infinite  路  4Comments