oidc-client-ts icon indicating copy to clipboard operation
oidc-client-ts copied to clipboard

Published 20 hours ago verified publisher icon authts

cookie not send on silent renew auth request

Open Dynamic91 opened this issue 3 years ago • 6 comments

Hello, I am using oidc-client-ts v2.0.5 in my front-end application for getting access tokens. The issue I have is that on silent renew flow, the cookie is not send to /connect/authorize endpoint, therefore on silent callback page I get login_required error issued by the auhorization server.

I have read some articles that because the browsers are getting more strict with how they handle cookies, the silent renew flow will not work anymore. Is this true? If so, what is the recommended way to get new access tokens? If not, what can cause oidc-client-ts to not send the cookie on silent renew flow and how can I solve the problem?

Thanks in advance!

Dynamic91 avatar Jul 05 '22 13:07 Dynamic91

Are you using silent renew with refresh token or without?

With refresh token: In this case fetch is used. See exchangeRefreshToken here https://github.com/authts/oidc-client-ts/blob/main/src/TokenClient.ts#L109. This code is using postForm in https://github.com/authts/oidc-client-ts/blob/main/src/JsonService.ts#L122. The postForm is then using fetch.

In fetch we do not pass credentials?: RequestCredentials;, then it should refer to the default (same-origin).

Without refresh token: This library is doing a silent renew with an iframe request (without fetch). Depending on the authz server and browser the cookie policy can be different. e.g. same-site.

When using this library on an exposed client like customer browser its not recommended to use a refresh token!

pamapa avatar Jul 11 '22 07:07 pamapa

I am trying to use it without refresh token, because like you said, it is not recommended. But the browser doesn't send the cookie to auth server when trying to get a new access token on /connect/authorize. Why is that and how can i fix it? Thanks!

Dynamic91 avatar Jul 18 '22 07:07 Dynamic91

You will need to debug that on your side. Check if you have a cookie, verify its settings. Verify that the browser is allowed to send it to the request host (authz host for silent renew). Eventually CORS is in your way, if that is the case you need to whitelist your site on the authz server, ...

pamapa avatar Jul 18 '22 15:07 pamapa

same behavior with v2.0.3, it worked fine a few weeks ago. for about 2-3 weeks I have the problem but only in Firefox.

SameSite policy has not changed: image

admir86 avatar Jul 18 '22 16:07 admir86

You will need to debug that on your side. Check if you have a cookie, verify its settings. Verify that the browser is allowed to send it to the request host (authz host for silent renew). Eventually CORS is in your way, if that is the case you need to whitelist your site on the authz server, ...

Works if I perform a login. It sends the cookie to /connect/authorize endpoint and I get a succesful login and valid access and id tokens. But on silent renew it doen't send the cookie and therefore I get a login_required error.

Dynamic91 avatar Jul 19 '22 07:07 Dynamic91

same behavior with v2.0.3, it worked fine a few weeks ago. for about 2-3 weeks I have the problem but only in Firefox.

SameSite policy has not changed: image

I only have the problem locally (ng serve). In production it works (that's probably why nobody reported it 😄 ) I think it's a CORS problem, I just don't understand why it's only in Firefox and was working a few weeks ago

admir86 avatar Jul 19 '22 07:07 admir86