[keycloak-dev] Silent Login for SPA

Gregor Tudan Gregor.Tudan at cofinpro.de
Mon Jul 1 11:30:57 EDT 2019 

Hi everyone,

After reading https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps on how to secure SPAs with OAuth I would like to implement the measures outlined there. I know it’s still a draft, but the arguments stated there make a lot of sense - including that doing OAuth in the browser only should only be considered if session based auth or some kind of backend (like gatekeeper) is not an option.

Here’s what the draft suggests:


  *   use public clients only as one cannot keep secrets private (easy)
  *   Use the Code-Flow with PKCE to secure the token exchange (possible with the JS-Adapter from v7)
  *   Don’t expose the refresh token to the client (I don’t think that’s possible with the code flow today).
     *   If this is not possible return a new refresh token on every refresh invalidating the old one.
  *   Don’t use Implicit flow - it safes roundtrips but is vulnerable to numerous attacks (easy - see above)

So while a lot has been done, there still seems to be the issue about the refresh tokens.

First off, I’m not sure how to obtain an access token only during the Access Token Request - while the spec states that the refresh token is optional, there is no parameter defined to communicate this kind of behavior to the auth server. Can this be configured in the client?

Let’s say I managed to obtain an access token. The second issue is: how can I refresh it without a refresh token? It was suggested to use the session with the Auth-Server for this, but with the current Javascript-Adapter this would mean doing a full reload every two minutes and having to reboot the SPA. This is not practical.
The other option would be to do this in an iframe with promt=none. A similar approach was supposed and implemented in https://issues.jboss.org/browse/KEYCLOAK-6795 (Silent Authentication in Iframe for Implicit Flow), but abandoned due to the usage of the implicit flow. Stian suggested to use the code flow with PKCE instead, but this would mean picking having to do an extra call inside the iframe.

I’m happy to work on something similar for PKCE, but before starting I would like to make sure that this kind of feature makes sense and has a chance to get accepted.

- Gregor

More information about the keycloak-dev mailing list