[keycloak-user] How to silently getting a new access token on Implicit Flow
Marek Posolda
mposolda at redhat.com
Mon Oct 9 07:27:19 EDT 2017
Hi,
there is no token refresh with the implicit flow. The proper way is to
always redirect to the Keycloak login screen, which will automatically
authenticate you through SSO and redirect you back.
Few tips:
- There is callback "onTokenExpired" . See the bottom of the page
http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/javascript-adapter.html
. Maybe this can be used in your app to save the application state and
then redirect to the login screen?
- Maybe another approach is to use IFrames or custom XHR requests as you
pointed. In Keycloak, we have the possibility to add custom REST
endpoints, so you can possibly add something, which will let your app to
decide if userSession is still valid or not and add some info back. Or
you can just invoke the existing TokenIntrospection or UserInfo
endpoints maybe? But that's just workaround and security is another
concern here...
- Do you really need implicit flow? Maybe standard flow is better choice
as it allows you to refresh token in background automatically?
Marek
On 06/10/17 10:26, Marcel van Tongeren wrote:
> Hi,
>
> I am working on an Aurelia SPA with Keycloak as the identity server.
> Since it is a web client, I'm using the Implicit variant of the OpenId Connect authorization flow.
> Authentication works fine, but I'm having a problem with getting a new access token, without interupting the workflow of the user.
> The documentation states that I can't use UpdateToken (because there is no refresh token in Implicit flow) and that I should redirect to the login page instead.
>
> Currently, I'm calling keycloak.login({prompt:'none'}) to do the redirect, but the problem is that you will lose all the data that the user entered on the current page, because it has the same effect as a full page refresh.
> Now, I had the impression that the hidden IFrame was supposed the handle this, but I get the feeling that it is not much help when using the Implicit flow...?
>
> There is plenty of documentation about initial authentication, but I couldn't find anything about 'refreshing' the access token when using the Implicit flow.
> Is there another way to do the redirect, maybe from the IFrame, so it is all handled behind the scenes?
>
> Btw, at first the IFrame wasn't created at all, because Aurelia fully replaces its root element, which happens to be the body element by default.
> After I configured Aurelia's root element to be a child div of the body element, the IFrame seems to be created correctly.
>
> Best regards,
>
> Marcel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list