Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to get new access token in OpenID Connect/OAuth2 Implicit Flow

Tags:

openid-connect

oauth-2.0

keycloak

implicit-flow

I am currently using OpenID Connect/Oauth2 Implicit Flow in a mobile app. I am bringing up a Web View for the user to login and obtaining the access token and expiry. However, when the access token expires, do I need to ask the user to log in again? Or is there a way to get a new access token silently using the current one, without bugging the user. I guess another option is to set the token expiry to be a really long time, but I have read that this is a bad idea.

Am I missing something here?

like image 660
marcusturewicz Avatar asked Oct 18 '22 10:10

marcusturewicz

1 Answers

Since Implicit flow does not send a refresh token (as explained in section 9 of RFC6746), usage of refresh tokens is not possible. But as a workaround one can use client credential grant to obtain an access token.

A viable solution is to first follow the implicit flow and authenticate the client. Then client authentication grant can be used to do the required API calls.

Sample request (from RFC6749)

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

 rant_type=client_credentials

Sample resposne (from RFC6749)

HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache

{
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "example_parameter":"example_value"
}

P.S - If you are using authorization code flow, you can use refresh_token to get a new access token. How the request should be formed can be obtained from OAuth2 documentation. Note that to do so, your authorization response should contain a `refresh_token.

A refresh token should be protected as valuable as a credential for a user. More can be read from keycloak documentation from here

Sample request and a response (from RFC6749)

Request

POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded

grant_type=refresh_token&refresh_token=tGzv3JOkF0XG5Qx2TlKWIA

Response

HTTP/1.1 200 OK
Content-Type: application/json
Cache-Control: no-store
Pragma: no-cache

{
  "access_token": "TlBN45jURg",
  "token_type": "Bearer",
  "refresh_token": "9yNOxJtZa5",
  "expires_in": 3600
}
like image 64
Kavindu Dodanduwa Avatar answered Oct 21 '22 08:10

Kavindu Dodanduwa
Sign in to Comment

Related questions

Asp.net Core, JWT, and CORS Headers
Google OAuth Installed Application Flow: redirect_uri_mismatch
Access to a private Google Spreadsheet with C#
Should my app issue it's own access tokens, when using external oauth2 provider (facebook)?
Getting duplicate fingerprint error while updating SHA-1 fingerprint for Android oAuth2 Client ID
RxJava: How to refresh a token when multiple requests are sent at the same time?
Using OAuth2 Implicit Flow(IdentityServer4), do users have to re-input password every expiration of access token?
Devise/Google OAuth 2: Not found. Authentication passthru
Google Oauth removing scopes from access
Using Auth0 to Authorize API requests from both our SPA and our other back-end services

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!