2

I've enabled implicit flow support in azure AD registration which says:- "To enable the implicit grant flow, select the tokens you would like to be issued by the authorization endpoint:" And i am trying to authenticate for multiple identity provides hence not using msal or adal. But am unable to achieve silent refresh using hidden iframe.

  1. Sent a authorization request with scope including openid and response type as id_token(in a popup)
  2. Receive id_token , and everything else including session state.

Now (via Iframe) I am trying to fetch token using silent auth by sending the propmt=none, and id_token_hint = prev_id_token have also tried sending login_hint = preferred_username (which i got from JWTtoken.payloadObj.preferred_username)

P.S have also tried sending response_type as both id_token and token initially, and then try an silent refresh, its failing with this error everytime:-

error=login_required&error_description=AADSTS50058%3a+Session+information+is+not+sufficient+for+single-sign-on.%0d%0aTrace+ID%3a+5ceb4386-f4b1-40aa-8fb5-797c14379b00%0d%0aCorrelation+ID%3a+3401101e-9098-4048-bb05-78926181d733%0d%0aTimestamp%3a+2019-04-17+10%3a12%3a47Z&state={my state}

Please let me know what i am missing , it needs to be implicit flow. and i need to achieve a silent refresh using hidden i frame.

I've implemented it as it is mentioned in this post:- https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow

am unable to do the highlighted part in this image

Ajay Rn
  • 93
  • 7
  • It's possible you're user is not consenting to the permissions you've requested in the initial sign in request. You'll want to request the scopes you intend to use silently in the first request to ensure the user has accepted these permissions. – Daniel Dobalian Apr 22 '19 at 21:51
  • I am trying with my own account..I've consented to all permissions in the AD itself, I had the same doubt once so I tried sending prompt=consent in the initial request,just to make sure all permissions are consented to – Ajay Rn Apr 24 '19 at 07:21
  • Is there any setting in authentication providers to enable SSO through Open ID? @DanielDobalian – Ajay Rn Apr 24 '19 at 08:22
  • 1
    Not that I'm aware of, it should be able to automatically re-use the session cookie set by Azure AD. – Daniel Dobalian Apr 24 '19 at 20:24
  • Ok, Thanks. Please don't mind me asking naive question, that session is maintained at the authentication provider end or some cookies are set in the user browser too? @DanielDobalian – Ajay Rn Apr 25 '19 at 10:04
  • 1
    Great question! The session cookie is set in the user's browser. The authentication provider usually just tracks if it needs to invalidate a session that may appear valid (like if the user reset their password). – Daniel Dobalian Apr 25 '19 at 23:15
  • @DanielDobalian Thanks again, I needed to know that cause i was getting this error in console when appending the iFrame to DOM [link](https://drive.google.com/file/d/16x5YNO1njCb0GbxdAEfNv7jCFvMHJBet/view?usp=sharing) Is this causing any trouble ? This happened when i requested both token and id_token in the first call , later i tried with just id_token in first call, did not encounter this. Though i am still not sure how it functions. one last doubt , sending the initial request in a popup is not a problem is it? – Ajay Rn Apr 26 '19 at 05:57

0 Answers0