Menu
I need to implement Authorization/Authentication for an Angular2 Client Side WebApp to talk to a Resource Server(WebApi).
I am investigating IdentiyServer4 and choosing a Grant Type / Flow. HERE
With Implicit Flow, how do I not require the user of the SPA to have to type in a password every say 3600 sec? A recommended access_token lifetime. I presume there is something I do not understand about getting the new authorization URL.
Resources I have looked at.
Thanks for the answer Scott. I have some reading to do.
608
When using the Implicit flow you can still use your own cookie lifetimes (ie longer than 3600 seconds). To get around access tokens expiring, you can use the fact that the user is still authenticated within IdentityServer to fetch another access token, without the need for refresh tokens.
The IdentityModel OpenID Connect JS Client does this by firing an event just before access token expiration and using an iframe to make a fresh authentication request to IdentityServer. If the user is still logged into IdentityServer (which has a different, typically longer lived cookie than your own client application), then IdentityServer sends back fresh tokens just like a normal authentication request. This happens in the background with no interaction from the user and no interruption.
Check out the automaticSilentRenew functionality in this library for implementation specifics.
By the way, the Implicit, Authorization Code and Hybrid grant types, in the case of IdentityServer, are OpenID Connect grant types. Resources referring to the OAuth versions may not apply to your use case.
197
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
