Refresh Token API throws error when using Passport Login (both OpenID and Passport Login)

By: Praveen Srinivasan user 19 May 2022 at 4:09 a.m. CDT

4 Responses
Praveen Srinivasan gravatar
Hi Team, After upgrading to latest version of GLUU, I am getting the below error when I call silent refresh. I know the meaning of error. But I've logged in with proper login procedure. The same issue happens for login via Passport also. I'm trying to login GLUU via localhost (frontend) application. And the initial login works fine. But silent renew is failing. Do I need to modify any configuration in GLUU to fix the silent renew error? The Authorization Server requires End-User authentication. This error MAY be returned when the prompt parameter in the Authorization Request is set to none to request that the Authorization Server should not display any user interfaces to the End-User, but the Authorization Request cannot be completed without displaying a user interface for user authentication.
Gluu 4.3 Ubuntu 20.04
closed

Answers

By Praveen Srinivasan user 19 May 2022 at 8:22 a.m. CDT

Copy
Praveen Srinivasan gravatar
Adding update. Below is the oxauth debug log ``` [org.gluu.oxauth.service.RedirectionUriService] (RedirectionUriService.java:132) - Comparing http://localhost:3000/renew/ == http://localhost:3000/ [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:58) - Checking scopes policy for: [openid, email, profile, uma_protection] [org.gluu.oxauth.model.authorize.ScopeChecker] (ScopeChecker.java:90) - Granted scopes: [openid, profile, uma_protection, email] [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:72) - Looking for the error with id: login_required [org.gluu.oxauth.model.error.ErrorResponseFactory] (ErrorResponseFactory.java:77) - Found error, id: login_required ```

By Mohib Zico staff 19 May 2022 at 10:53 p.m. CDT

Copy
Mohib Zico gravatar
What is `silent refresh` and how you are using it?

By Praveen Srinivasan user 19 May 2022 at 11:24 p.m. CDT

Copy
Praveen Srinivasan gravatar
Silent refresh is nothing but the existing access_token will be refreshed and will get the new token before it gets expires (https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess). (refresh token) The request will have prompt as none and will be performed without refreshing/redirecting the user.

By Praveen Srinivasan user 19 May 2022 at 11:49 p.m. CDT

Copy
Praveen Srinivasan gravatar
We will be calling the refresh token with prompt as none The sample URL will be like this. `https://gluu-sso.com/oxauth/restv1/authorize?client_id=<client_id>&redirect_uri=http://localhost:3000/renew&response_type=token id_token&scope=openid email profile uma_protection&state=<state>&nonce=<nonce>&prompt=none&id_token_hint=<id_token_hint>`

Post an answer