On Wed, Oct 16, 2019 at 1:13 PM Farasath Ahamed <farasa...@wso2.com> wrote:
> > > On Wed, Oct 16, 2019 at 4:36 PM Prakhash Sivakumar <prakh...@wso2.com> > wrote: > >> Hi Devs, >> >> We have an angular application which uses the implicit grant. In the >> application, once the user is authenticated, till the IDP session is active >> we do a silent refresh using an iframe to keep the token alive, but here I >> face a scenario like this. >> >> Let's say the access token is having a lifespan of 10 min and the session >> at the identity server is having a lifespan of 15 min, I would like to do a >> silent refresh when the access token is about to expire. For example in >> like in 9 min. In this case, as there is already an active token exists, >> the IDP will return that active token which is having 1 min lifespan. So >> before the next silent refresh call the token will get expired. >> >> How can I handle this scenario. As this is a SPA, I don't want to do >> revoke and renew because we will have to store the client_secret in order >> to do this. So what is the best approach for this ? >> > > Actually, if the token was obtained using the implicit grant, then you > should be able to revoke without the client secret. If the public client is > unable to revoke its token without a client secret, that itself is a > security issue. > > >> >> I was thinking a scenario like, appending a random scope with original >> requested scope each time we do the silent refresh. So we get a new access >> token every time. Will that be a correct approach ? >> > > We can use this approach, if the OAuth2 server does not validate scopes. > Thanks a lot Fara for the quick response. Here I'm going to send the needed scope + additional scope. So I think as per my use case, this should be fine :) Regards, Prakhash > >> Appreciate your thoughts on this. >> >> Regards, >> Prakhash >> >> -- >> *Prakhash Sivakumar | Senior Software Engineer | WSO2 Inc* >> *+94771510080 | prakh...@wso2.com <prakh...@wso2.com> >> | https://medium.com/@PrakhashS <https://medium.com/@PrakhashS>* >> > > > -- > Farasath Ahamed > Associate Technical Lead, WSO2 Inc.: http://wso2.com > Mobile: +94777603866 > Blog: https://farasath.blogspot.com / https://medium.com/@farasath > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > -- *Prakhash Sivakumar | Senior Software Engineer | WSO2 Inc* *+94771510080 | prakh...@wso2.com <prakh...@wso2.com> | https://medium.com/@PrakhashS <https://medium.com/@PrakhashS>*
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev