By: Alex Peltonen user 08 Jan 2021 at 12:06 p.m. CST

6 Responses
Alex Peltonen gravatar
I am trying to do silent token renewal with oidc-client, using oidc authorization code flow on a React SPA. I expected silent access token renewal to succeed via iframe when prompt: none is set. However, Gluu server responds with login_required, even though user is logged in. Preauthorize is set to true, and everything else works. Question, is silent renew / iframe silent login supported? If so, where can I find more info on configuration?

By Michael Schwartz staff 08 Jan 2021 at 12:36 p.m. CST

Michael Schwartz gravatar
What grant did you use to get the access token? Are you using PKCE? Can you post a summary of your client config?

By Alex Peltonen user 08 Jan 2021 at 1:31 p.m. CST

Alex Peltonen gravatar
Certainly, here is the summary OPENID CONNECT CLIENTS DETAILS ------------------------------ - **Name:** MyClient - **Client ID:** client-id - **Subject Type:** public - **ClientSecret:** XXXXXXXXXXX - **Application Type:** web - **Persist Client Authorizations:** true - **Pre-Authorization:** true - **Authentication method for the Token Endpoint:** none - **Logout Session Required:** false - **Include Claims In Id Token:** false - **Disabled:** false - **Logout Redirect URIs:** [https://localhost:3000/logout-callback] - **Login Redirect URIs:** [https://localhost:3000/silent-renew.html, https://localhost:3000/signin-callback] - **Scopes:** [profile, openid, permission, email, user_name] - **Grant types:** [authorization_code] - **Response types:** [code, token, id_token] I am using authorization_code grant and yes, code_challenge is being posted and &code_challenge_method=S256&response_mode=query, while callback is silent_renew.html which is being called, but with error=login_required.

By Michael Schwartz staff 08 Jan 2021 at 1:40 p.m. CST

Michael Schwartz gravatar
Response types should only be `code`... you don't want the tokens coming back in the redirect unless you are using the hybrid flow. Also, I don't see that you have given the refresh_token grant type.

By Kiran Mali staff 11 Jan 2021 at 4:18 a.m. CST

Kiran Mali gravatar
Hi Alex, Yes, you need to set - Grant types: [authorization_code, refresh_token] - Response types: [code] and also check global setting `forceOfflineAccessScopeToEnableRefreshToken` specially for refresh token case. [More details are here](https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) Let me share you my client details ![Screenshot from 2021-01-11 15-41-59](https://user-images.githubusercontent.com/39133739/104168554-3a622b00-5424-11eb-950d-a7a29ee1f015.png) Best regards, Kiran Mali

By Alex Peltonen user 11 Jan 2021 at 7:21 a.m. CST

Alex Peltonen gravatar
Ok. Looks like silent renew does not work due to SameOrigin cookie restrictions in Chrome, because Gluu does not set SameSite attribute (to SameSite=None). Disabling SameSite controls in chrome://flags confirms this. I just had to remove token and id_token response types to have a working setup with these default flags disabled. I was hoping to avoid refresh_token and do a silent signin via iframe, because I could not find anything on refresh_token rotation support in Gluu docs. There is a refresh token lifetime setting, but no further description as far as I can find.

By Kiran Mali staff 12 Jan 2021 at 6:03 a.m. CST

Kiran Mali gravatar
Hello Alex, > because I could not find anything on refresh_token rotation support in Gluu docs. There is a refresh token lifetime setting, but no further description as far as I can find. > I think we don't need to add more about this in our docs because we are following OpenID Connect standards so you can find details about `refresh token` in [OIDC Specs here](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens). it is open standards. Let us know if you need anything else. Thank you!