2

I'm currently trying to implement silent refresh follow this workaround

However, even when I'm logged in, if I try to do an AJAX GET request to the oauth2/authorize endpoint, I get a status of 200. I tried going to the URL in the browser directly, and it worked. Do I need to pass additional information?

Any help would be greatly appreciated, thanks!

Harrison Hsieh
  • 39
  • 2
  • Can you paste the entire response of the ajax GET when you request `/oauth2/authorize`? – mooreds Apr 30 '20 at 21:22
  • Also, if you'd like to have FusionAuth support prompt=none, please vote on the relevant github issue: https://github.com/FusionAuth/fusionauth-issues/issues/521 – mooreds Apr 30 '20 at 21:27
  • I got it to redirect. I was using axios and didn't do { withCredentials: true }. I'm running into a CORS issue now though. Trying to figure out what domain to allow on my server. – Harrison Hsieh Apr 30 '20 at 22:18
  • The origin header that fusionauth sends back to my server via redirect appears to be null, which is causing a CORS issue. My entire flow is: AJAX GET to fusionAuth /oauth2/authorize -> redirects to localhost:3000/redirect (My server) -> return something so I can parse the code – Harrison Hsieh Apr 30 '20 at 23:06
  • After much searching, apparently after redirects, the origin header gets set to `null`, so I'm going to implement the silent refresh with and iframe in the meantime. Hopefully fusionauth gets prompt=none soon. – Harrison Hsieh May 01 '20 at 01:23

1 Answers1

1

I ended up solving my own problem and was able to not have to use an iframe.

Solution to original problem (I was using authorization code flow):

  1. Set up an endpoint on your server with a silent response that FusionAuth can redirect to (endpoint 1).
  2. Set up an endpoint that you will call from your app to perform the silent refresh (endpoint 2).
  3. From the app, send AJAX GET request to endpoint 2.
  4. On the server side of endpoint 2, send AJAX GET request to FusionAuth with redirect_uri=(endpoint 2)
  5. On success, get redirected url. (In express.js with axios I did response.request.res.responseUrl)
  6. If the url is current server host and not the fusionauth service host, complete auth code flow. Return the token and tell the browser that the user is logged in.
  7. In all other cases the user is not logged in, so return to app that user is not logged in.
Harrison Hsieh
  • 39
  • 2