13

As I understand you must not issue a refresh token for SPA. But there are options to get a new access token like silent authentication.

To make things simple, you supply a refresh token to the Authorization Server(AS) and get a new access token. With silent authentication you pass current access token to some endpoint on the AS and if it is valid you get a new access token.

So please correct me, because I do not understand why silent authentication is more secure approach.

Arkady Rost
  • 357
  • 2
  • 4
  • 9

1 Answers1

18

With silent authentication you pass current access token to some endpoint on the AS and if it is valid you get a new access token.

That's not correct.

The flow with silent authentication looks like this:

Auth Server (AS) and Client (SPA)

  • SPA redirects user to log in with AS.
  • AS logs user in and redirects back to the SPA with an access token that can be used to access an API
  • SPA calls API until it gets 401. (or uses some other mechanism to figure out time to get new access token)
  • SPA does a silent GET to the AS authorize endpoint in attempt to get new access token. It does not need to supply old expired access token.
  • IF AND ONLY user still has a valid session with AS (some sort of auth cookie likely) then AS will respond with valid access token (if AS believes the request is valid).

The good article explaining silent authentication

For the why to prefer auth cookie vs refresh token - this question clarifies that.

Alex Buyny
  • 3,047
  • 19
  • 25
  • @alex-buny Yes, if you don't use a refresh token, you need to use cookies. And there's nothing "silent" about the authentication. Users have to enter their credentials at some point in the process. It's just that, if their cookie based login hasn't expired, they can get a new access token at any time without a new interaction. As indicated by the link, you're really talking about the [OIDC Implicit Flow](https://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowSteps). The lifetime of the session is controlled by the login server that gave you the cookies. – Charlie Reitzel Jan 17 '20 at 23:00
  • The difference here compared to the implicit flow is that with silent authentication you would use the authorisation code flow. In a less user-friendly approach, if you needed a new access token you'd get redirected to the AS and then straight back with the authorisation code grant response. When your client receives that, it'd perform the token exchange. Now, to solve that UX issue you have to do some trickery and non-standard things like load the AS server auth endpoint in an iframe and use the HTML 5 messaging API to send the authorisation code to the client. – Seer May 14 '20 at 12:02
  • @alex-buyny if a user still has a valid session with AS, how does the AS generate a new access token, does it use a refresh_token stored inside the AS session? – Richard Scarrott May 06 '21 at 14:46