Skip to content
This repository has been archived by the owner on Mar 3, 2022. It is now read-only.

Support for Code Flow PKCE with Refresh tokens #1362

Open
ghost opened this issue May 4, 2021 · 12 comments
Open

Support for Code Flow PKCE with Refresh tokens #1362

ghost opened this issue May 4, 2021 · 12 comments
Labels
question

Comments

@ghost
Copy link

ghost commented May 4, 2021

As far as I see, the oidc-client-js library supports only silent renewal with a silent renew callback URL.
Is there a way to make it work with refresh token mechanism? If not, are there any plans to support it in the future?
@brockallen
Copy link
Member

It supports refresh tokens and renewal already.

@ghost
Copy link
Author

ghost commented May 4, 2021
edited by ghost
Loading

It supports refresh tokens and renewal already.

Cool, how can we configure to use refresh token? I don't see that in the documentation.

@brockallen
Copy link
Member

Request offline_access as a scope, as per the spec. https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

@ghost
Copy link
Author

ghost commented May 4, 2021

@brockallen Perfect, thanks a lot. It works when using offline_access scope. 🎉

Could you please mention it in the Wiki documentation?
That would be helpful for other developers too.

@brockallen
Copy link
Member

You know refresh tokens in the browser are not really recommended, though, right?

https://pragmaticwebsecurity.com/talks/xssoauth.html

@ghost
Copy link
Author

ghost commented May 5, 2021
edited by ghost
Loading

That's what I thought at first.
But recently, Auth0 recommends refresh token rotation as more secure than silent renewal with iframe.

See https://auth0.com/docs/tokens/refresh-tokens#for-single-page-apps
image

@brockallen
Copy link
Member

Did you watch the video above?

@ghost
Copy link
Author

ghost commented May 5, 2021

I just watched the video. Thanks for sharing.
I understand the attacking vectors on refresh token rotation now.

Could you please explain how silent renewal with iFrame is still better than refresh token rotation?
Is silent renewal with iFrame not vulnerable to XSS?

@marwalsch
Copy link

@Keth-dev Were you able to get enlightened on that? I was wondering about the same. From what I understand from the video there is no way to avoid browser vulnerabilities aside from using BFF, which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

@brockallen
Copy link
Member

which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

The difference is the amount of damage in what amount of time. A leaked refresh token will allow an attacker much longer and potentially infinite time if there's no absolute limit on the RT.

@brockallen
Copy link
Member

which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

The difference is the amount of damage in what amount of time. A leaked refresh token will allow an attacker much longer and potentially infinite time if there's no absolute limit on the RT.

The BFF approach we suggest (if you're using ASP.NET) is this one: https://blog.duendesoftware.com/posts/20210326_bff/

@marwalsch
Copy link

@brockallen I see, but once the length of sessions kept with the ID provider for silent renewal surpasses refresh token lifetime it should be virtually the same if I am not mistaken.

@patcon patcon mentioned this issue Jun 10, 2022
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brockallen @marwalsch