Menu
I wonder how to deal with refreshing token in Oauth2 Implicit grant flow in 2019 when major browsers have 3rd party cookies disabled by default.
Some details:
Current setup:
UI SPA app under ui.example.com
Identity Provider (UAA by CloudFoundry) under uaa.api.example.com
Scenario:
when user signs in, Identity Provider sets cookie with user details for domain uaa.api.example.com and returns JWT in the redirect's Location header.
JWT is stored in the local storage (for ui.example.com), but it's valid only for 1h so I'd like to refresh it.
refreshing is possible with prompt=none query param sent to IDP authorization endpoint (process is well described in Auth0 guide (it's not UAA but flow is the same)
in every 20m hidden iframe with src set to uaa.api.exmaple.com/oauth/authorize?prompt=none is created what starts the signing in process without requiring user to provide his credentials. When process ends, new JWT returned in the response is stored again in the local storage.
Problem:
When third party cookies are allowed, browser adds the IDP's cookies to the request made by an iframe, so flow works and I get new token in the response.
When third Party Cookies are disabled in the browser's settings, iframe doesn't have an access to its own cookies, so instead of new JWT, error login_required is returned. Inability to access cookies by iframe makes token renewal impossible to use
Question:
Is there any solution for my issue with 3rd party cookies?
If not, are there any alternatives for Implicit Grant flow and SPA that I could use to sign in and refresh tokens?
201
The Refresh Token No refresh token is issued during the implicit flow, instead if a client needs additional access tokens it needs to re-authorize. If Curity is configured with Single Sign-On the re-authorization can happen without user interaction since the SSO session might still be valid.
The Refresh Token grant type is used by clients to exchange a refresh token for an access token when the access token has expired. This allows clients to continue to have a valid access token without further interaction with the user.
By default, access tokens are valid for 60 days and programmatic refresh tokens are valid for a year.
As your application and identity server hosted in a different domain. It implies that your application is doing cross-origin authentication. Cross-origin authentication is achieved using third-party cookies, disabling third-party cookies will make cross-origin authentication fail.
Answering your questions:
Is there any solution for my issue with 3rd party cookies?
Host both your application and the identity server under the same domain. You can use the subdomain in that case.
If not, are there any alternatives for Implicit Grant flow and SPA that I could use to sign in and refresh tokens?
No
Solution:
I am not familiar with the CloudFoundry. Not sure they support it or not. You can solve the issue by enabling custom domain in the identity provider side. Thus, both of your application and the Identity Provider will be in the same domain and the cookies will be considered as the first party. For example, Host your application at https://acme.com and set your identity provider custom domain as https://login.acme.com
55
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
