Comments (10)
leastprivilege
commented on August 27, 2024
i have the requirement to implement an ID token refresh.
why?
from identitymodel.aspnetcore.
ViRuSTriNiTy
commented on August 27, 2024
i have the requirement to implement an ID token refresh.
why?
Because in my case the ID token needs to be refreshed after 1 hour (policy setting I am not allowed to change) or the user will be logged out and redirected to the home page. As far as I know the ID token should be short lived hence it would make sense to refresh it from time to time. Is this correct?
from identitymodel.aspnetcore.
leastprivilege
commented on August 27, 2024
I am not following -
an ID token has 2 purposes
a) communicating the result of the authentication event back to the client
b) legitimating the client during an end session request
from identitymodel.aspnetcore.
VictorioBerra
commented on August 27, 2024
@ViRuSTriNiTy Maybe you mean access token? You would not use the ID token to auth to an API.
from identitymodel.aspnetcore.
ViRuSTriNiTy
commented on August 27, 2024
Hmm, I don't really know where to start with this. I have read too many articles with too many different opinions regarding that subject.
Currently my implementation checks the expiration of the id token (with the goal to achieve at least minimal authentication) and if it has expired I cannot do anything but to redirect to home page. Here the user can click login again, gets redirected to the Identity provider, which in turn directly redirects to the app (surely because the id token was recognized and refreshed / renewed).
The issue here is that a) it is a Blazor app and I completely lose the state of my app due to the HTTP redirect and b) the user is interrupted in its workflow. I would really like to avoid a) and b) with some sort of refresh handling like it's done with the access token in the background, if this fails I can fallback to the current state with HTTP redirects.
So I googled a bit and I found this interesting statement on stackoverflow:
... that's how you initially get the ID Token, but how do you refresh it? OIDC Section 12: Using Refresh Tokens has the following statement about the Refresh Token Response:
Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.
It might not contain an ID Token and since there is no way specified to force it to include the ID token, you must assume that the response will not contain the ID Token. So technically there is no specified way to "refresh" an ID Token using a refresh token. Therefore, the only way to get a new ID Token is to re-authorize/authenticate the user by redirecting the user to the authorization endpoint and starting the implicit flow or authentication code flow as described above. The OIDC specification does add a prompt request parameter to the authorization request so the client can request that the authorization server not prompt the user with any UI, but the the redirect still has to happen.
I use Azure AD B2C and the access token refresh call returns a refreshed id token. I could process this refreshed id token (seems like the easier approach) or I could try to implement a redirect in the background as described in the quote (if this is even possible).
I hope this makes the issue a bit more understandable.
Btw: just for reference, here is an example for id token refresh handling in an angular environment:
from identitymodel.aspnetcore.
VictorioBerra
commented on August 27, 2024
You should try a silent renew. A renew is different from a refresh in this situation you will create an iframe and he user will bounce through login and will be re-logged in again. https://github.com/IdentityModel/oidc-client-js/blob/dev/samples/VanillaJS/public/user-manager-sample-silent.js
https://github.com/IdentityModel/oidc-client-js/blob/dev/src/UserManager.js#L160
from identitymodel.aspnetcore.
brockallen
commented on August 27, 2024
I have read too many articles with too many different opinions regarding that subject.
It's like religion... with so many differing opinions, the odds are that most of them are wrong (but they think they're right due to sufficient misunderstanding).
Joking aside, I'd suggest you find in the specs where it supports your approach.
from identitymodel.aspnetcore.
leastprivilege
commented on August 27, 2024
Any update on the issue? closing for now - feel free to re-open if it needs further discussion.
from identitymodel.aspnetcore.
ViRuSTriNiTy
commented on August 27, 2024
@leastprivilege I will try the "silent renew" approach. I think this keyword combination was missing in my search hence I always opted for something with "refresh".
from identitymodel.aspnetcore.
github-actions
commented on August 27, 2024
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue.
from identitymodel.aspnetcore.
Related Issues (20)
- Calling GetUserAccessTokenAsync() twice when token renews causes two renewals HOT 1
- Consider sliding the cookie after token renewal HOT 3
- Support extension grants for user tokens HOT 4
- Question : How to use library for storing 3rd party user tokens HOT 3
- Question: Motivation switching from IOptions<T> to T HOT 2
- '<' is an invalid start of a value. LineNumber: 1 HOT 2
- Blazor server sample request HOT 9
- Question: Breaking change to method signature HOT 3
- Authorization not being added to HttpClient - with client credentials HOT 3
- ClientAccessTokenCache results in error "The absolute expiration value must be in the future. (Parameter 'AbsoluteExpiration')" HOT 5
- Support user access to multiple service providers secured with multi tenant IDPs HOT 3
- Can't ignore ssl check on Mac HOT 1
- ClientCredentialsTokenRequest now using header as ClientCredentialStyle by default HOT 4
- Challenge-Scheme specific refresh-tokens HOT 2
- Error getting token when upgrading from 4.1.2 to 4.1.3 or greater HOT 3
- Access Token Management: Plans for token exchange? HOT 3
- Option flag to disable ChallengeScheme-specific tokens HOT 16
- Processing the id_token during refresh HOT 3
- Suggested approach for auto refresh of Access tokens while using oidc client in desktop applications HOT 5
- Upgrade from 3.0 to 4.x completely breaks dynamic configuration HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identitymodel.aspnetcore.