3

I am trying to integrate silent refreshing of access tokens within an iframe by using prompt=none using the oauth authorize endpoint. I can't seem to figure out how to do this or if it is even supported and do not see any information in the documentation here:

https://fusionauth.io/docs/v1/tech/oauth/overview

I've tried using prompt=none in the URL but it doesn't seem to do anything.

I expect prompt=none to work according to OpenID Connect Core 1.0

Thanks for all your help!

patakattack
  • 31
  • 2

1 Answers1

4

FusionAuth doesn't currently support the prompt=none option for the authorization code grant. This is something we are planning on adding in one of the upcoming releases.

However, there is a work-around that others have used. You can make an AJAX request to the authorize endpoint of FusionAuth and then check the result to determine if the user needs to log in again or refresh their access token.

Here's how it works:

User not logged in

  1. Your application makes an AJAX request requests the /oauth2/authorize endpoint
  2. FusionAuth will respond with a 200 and HTML that contains our login form if the user is no longer logged in.
  3. Your application can check the response and see that the user needs to log in and take them to FusionAuth's interface to log back in.

User still logged in

  1. Your application makes an AJAX request requests the /oauth2/authorize endpoint
  2. FusionAuth will respond with a 302 to your redirect_uri with an authorization code
  3. Your backend will complete the authorization code grant and call the FusionAuth token endpoint
  4. This will return an access token (and possibly a refresh token)
  5. Your backend should return a 200 plus a JSON body or something that indicates the user is still logged in
  6. The AJAX response will be sent to your application and it can parse the response and see the user is still logged in
  7. Your application will now have the new access token

This flow works in AJAX nicely. It doesn't work well in an iframe because there isn't a way for the iframe to message back out to your application that either the user needs to log in again or they are still logged in and now have a new access token.

If you want to open a GitHub issue for the prompt=none support on our authorize endpoint, you can do that here: https://github.com/FusionAuth/fusionauth-issues

voidmain
  • 1,625
  • 1
  • 14
  • 14
  • Thanks for your prompt answer! You mention the Authorization Code flow. I am using the Implicit flow but it shouldn't make a difference I presume. In an attempt to implement this, I seem to get a CORS policy issue. Access to XMLHttpRequest at 'XXXXXX' from origin 'http://localhost:4200' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. No matter what I change in the Application settings, it doesn't work. Authorized request origin URLs are set to nothing and I even tried to set it to http://localhost:4200. – patakattack Apr 30 '19 at 00:39
  • I just looked at our CORS configuration and it looks like it doesn't allow CORS requests for `/oauth2/authorize` or `/oauth2/token`. I'll need to check if that changed and what the security implications of allowing CORS to those endpoints is. You can edit the CORS configuration by editing `fusionauth-app/web/WEB-INF/web.xml` and adding those lines to the `` definitions for the `cors-filter`. You would add them as new `` elements. – voidmain Apr 30 '19 at 15:00
  • Since I am also interested in this feature, I opened an issue https://github.com/FusionAuth/fusionauth-issues/issues/521 – La Muerte Peluda Mar 16 '20 at 16:02
  • This post might be of interest to anyone with this issue: https://stackoverflow.com/questions/61531844/attempting-to-implement-silent-refresh-with-fusion-auth – mooreds May 01 '20 at 19:14