oidc-client-js icon indicating copy to clipboard operation
oidc-client-js copied to clipboard
verified publisher icon IdentityModel

Support for Code Flow PKCE with Refresh tokens

Open ghost opened this issue 4 years ago • 12 comments

As far as I see, the oidc-client-js library supports only silent renewal with a silent renew callback URL. Is there a way to make it work with refresh token mechanism? If not, are there any plans to support it in the future?

ghost avatar May 04 '21 10:05 ghost

It supports refresh tokens and renewal already.

brockallen avatar May 04 '21 12:05 brockallen

It supports refresh tokens and renewal already.

Cool, how can we configure to use refresh token? I don't see that in the documentation.

ghost avatar May 04 '21 12:05 ghost

Request offline_access as a scope, as per the spec. https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

brockallen avatar May 04 '21 13:05 brockallen

@brockallen Perfect, thanks a lot. It works when using offline_access scope. 🎉

Could you please mention it in the Wiki documentation? That would be helpful for other developers too.

ghost avatar May 04 '21 20:05 ghost

You know refresh tokens in the browser are not really recommended, though, right?

https://pragmaticwebsecurity.com/talks/xssoauth.html

brockallen avatar May 05 '21 00:05 brockallen

That's what I thought at first. But recently, Auth0 recommends refresh token rotation as more secure than silent renewal with iframe.

See https://auth0.com/docs/tokens/refresh-tokens#for-single-page-apps image

ghost avatar May 05 '21 06:05 ghost

Did you watch the video above?

brockallen avatar May 05 '21 11:05 brockallen

I just watched the video. Thanks for sharing. I understand the attacking vectors on refresh token rotation now.

Could you please explain how silent renewal with iFrame is still better than refresh token rotation? Is silent renewal with iFrame not vulnerable to XSS?

ghost avatar May 05 '21 15:05 ghost

@keth-dev Were you able to get enlightened on that? I was wondering about the same. From what I understand from the video there is no way to avoid browser vulnerabilities aside from using BFF, which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

marwalsch avatar May 26 '21 07:05 marwalsch

which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

The difference is the amount of damage in what amount of time. A leaked refresh token will allow an attacker much longer and potentially infinite time if there's no absolute limit on the RT.

brockallen avatar May 26 '21 12:05 brockallen

which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

The difference is the amount of damage in what amount of time. A leaked refresh token will allow an attacker much longer and potentially infinite time if there's no absolute limit on the RT.

The BFF approach we suggest (if you're using ASP.NET) is this one: https://blog.duendesoftware.com/posts/20210326_bff/

brockallen avatar May 26 '21 12:05 brockallen

@brockallen I see, but once the length of sessions kept with the ID provider for silent renewal surpasses refresh token lifetime it should be virtually the same if I am not mistaken.

marwalsch avatar Jun 01 '21 09:06 marwalsch