3:26 a.m.
Hi,
I am working on an Aurelia SPA with Keycloak as the identity server.
Since it is a web client, I'm using the Implicit variant of the OpenId Connect
authorization flow.
Authentication works fine, but I'm having a problem with getting a new access token,
without interupting the workflow of the user.
The documentation states that I can't use UpdateToken (because there is no refresh
token in Implicit flow) and that I should redirect to the login page instead.
Currently, I'm calling keycloak.login({prompt:'none'}) to do the redirect, but
the problem is that you will lose all the data that the user entered on the current page,
because it has the same effect as a full page refresh.
Now, I had the impression that the hidden IFrame was supposed the handle this, but I get
the feeling that it is not much help when using the Implicit flow...?
There is plenty of documentation about initial authentication, but I couldn't find
anything about 'refreshing' the access token when using the Implicit flow.
Is there another way to do the redirect, maybe from the IFrame, so it is all handled
behind the scenes?
Btw, at first the IFrame wasn't created at all, because Aurelia fully replaces its
root element, which happens to be the body element by default.
After I configured Aurelia's root element to be a child div of the body element, the
IFrame seems to be created correctly.
Best regards,
Marcel
6:27 a.m.
Hi,
there is no token refresh with the implicit flow. The proper way is to
always redirect to the Keycloak login screen, which will automatically
authenticate you through SSO and redirect you back.
Few tips:
- There is callback "onTokenExpired" . See the bottom of the page
http://www.keycloak.org/docs/latest/securing_apps/topics/oidc/javascript-...
. Maybe this can be used in your app to save the application state and
then redirect to the login screen?
- Maybe another approach is to use IFrames or custom XHR requests as you
pointed. In Keycloak, we have the possibility to add custom REST
endpoints, so you can possibly add something, which will let your app to
decide if userSession is still valid or not and add some info back. Or
you can just invoke the existing TokenIntrospection or UserInfo
endpoints maybe? But that's just workaround and security is another
concern here...
- Do you really need implicit flow? Maybe standard flow is better choice
as it allows you to refresh token in background automatically?
Marek
On 06/10/17 10:26, Marcel van Tongeren wrote:
Hi,
I am working on an Aurelia SPA with Keycloak as the identity server.
Since it is a web client, I'm using the Implicit variant of the OpenId Connect
authorization flow.
Authentication works fine, but I'm having a problem with getting a new access token,
without interupting the workflow of the user.
The documentation states that I can't use UpdateToken (because there is no refresh
token in Implicit flow) and that I should redirect to the login page instead.
Currently, I'm calling keycloak.login({prompt:'none'}) to do the redirect,
but the problem is that you will lose all the data that the user entered on the current
page, because it has the same effect as a full page refresh.
Now, I had the impression that the hidden IFrame was supposed the handle this, but I get
the feeling that it is not much help when using the Implicit flow...?
There is plenty of documentation about initial authentication, but I couldn't find
anything about 'refreshing' the access token when using the Implicit flow.
Is there another way to do the redirect, maybe from the IFrame, so it is all handled
behind the scenes?
Btw, at first the IFrame wasn't created at all, because Aurelia fully replaces its
root element, which happens to be the body element by default.
After I configured Aurelia's root element to be a child div of the body element, the
IFrame seems to be created correctly.
Best regards,
Marcel
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2636
days inactive
2639
days old
1 comments
2 participants
participants (2)
-
Marcel van Tongeren -
Marek Posolda