1

I am using Identity Server 4 within a .NET Core site and using it to handle OAUTH with PCKE for an Angular app (using angular-oauth-oidc library). The normal login process works fine but when the website tried to perform a silent refresh it makes a HTTP POST to http://identityServerURL/connect/token which contains headers:

  • grant_type: refresh_token
  • client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxx
  • scope: openid profile offline_access
  • refresh_token: null
  • client_secret: xxxxxxxxxxxxxxxxxxxxx

A Http 400 code is received back from the IdentityServer and it appears from the logs that making an HTTP POST to that endpoint is not allowed.

Does anyone have any thoughs on this and/or how to get refresh tokens to work?

Thanks in advance

Mad Eddie
  • 943
  • 3
  • 12
  • 23

1 Answers1

0

The most likely reason you run into this (we have to guess slightly, since we don't have a reproducible scenario for your situation...) is that there is a bug in the Angular library preventing iframe-based silent refreshes to be trigered if you explicitly call silentRefresh() on the service.

The setupAutomaticSilentRefresh() method doesn't suffer from this problem, because the refresh that it schedules is one that uses refresh_tokens.

There is no good current workaround. Here's how I dealt with it to at least prevent the error you're describing.

Jeroen
  • 60,696
  • 40
  • 206
  • 339