Oidc-client-js: Authorization code with PKCE and silent renew support

Created on 19 Nov 2019 · 2Comments · Source: IdentityModel/oidc-client-js

Hi. I was reading Allen's blog on SPA, implicit flow and switch to PKCE proposals.

https://brockallen.com/2019/01/03/the-state-of-the-implicit-flow-in-oauth2/

I have tried to invoke Authorization code with PKCE (successfully) but then tried to use silent renew to obtain new access token but I failed. Client was using token endpoint automatically.

(I am not sure if this is something called hybrid flow, I saw mention of it in some other issue)

So my question is is it possible to use authorization code with PKCe flow and then use silent renew to meet proposed solution suggested in the blog?
if yes, what should be set as a response_type
if no, is there a plan to support such scenario?

thank you,
Ante

Source

amihalj

Most helpful comment

thanks, that worked like a charm :)

so just to write down settings for anyone else looking for the same behavior:

client settings on oauth server should be:

grant_types:

authorization_code

response_types:

code

scope: "openid ..." // don't set offline or offline_access - that would return refresh_token and silent renew would use token endpoint using refresh token

(NOTE: it is not necessary to remove offline from server scope settings but then you are making sure that even if you forget it in frontend code you wont leak it accidentally to frontend)

in userManager (oidc-client) set:
response_type: code
scope: "openid ..." // dont set offline
silent_redirect_uri: ${window.location.protocol}//${window.location.hostname}${window.location.port}/silent_renew.html

I am using https://github.com/ory/hydra so it works fine without IdentityServer

thank you, great library!

amihalj on 20 Nov 2019

👍4

All 2 comments

Client was using token endpoint automatically.

If your server issues a refresh token then that's what's used in silent renew. Stop issuing a refresh token.

brockallen on 19 Nov 2019