On Wed, Oct 16, 2019 at 4:36 PM Prakhash Sivakumar <[email protected]> wrote:
> Hi Devs, > > We have an angular application which uses the implicit grant. In the > application, once the user is authenticated, till the IDP session is active > we do a silent refresh using an iframe to keep the token alive, but here I > face a scenario like this. > > Let's say the access token is having a lifespan of 10 min and the session > at the identity server is having a lifespan of 15 min, I would like to do a > silent refresh when the access token is about to expire. For example in > like in 9 min. In this case, as there is already an active token exists, > the IDP will return that active token which is having 1 min lifespan. So > before the next silent refresh call the token will get expired. > > How can I handle this scenario. As this is a SPA, I don't want to do > revoke and renew because we will have to store the client_secret in order > to do this. So what is the best approach for this ? > Actually, if the token was obtained using the implicit grant, then you should be able to revoke without the client secret. If the public client is unable to revoke its token without a client secret, that itself is a security issue. > > I was thinking a scenario like, appending a random scope with original > requested scope each time we do the silent refresh. So we get a new access > token every time. Will that be a correct approach ? > We can use this approach, if the OAuth2 server does not validate scopes. > > > Appreciate your thoughts on this. > > Regards, > Prakhash > > -- > *Prakhash Sivakumar | Senior Software Engineer | WSO2 Inc* > *+94771510080 | [email protected] <[email protected]> > | https://medium.com/@PrakhashS <https://medium.com/@PrakhashS>* > -- Farasath Ahamed Associate Technical Lead, WSO2 Inc.: http://wso2.com Mobile: +94777603866 Blog: https://farasath.blogspot.com / https://medium.com/@farasath Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
