0

We tried to renew token silently (refresh token) using Oidc-Client library. We were able to login successfully. But once user's token expired silent callback page not being called even it is configured like below. Kindly help if anything missing or re-correct. Also silent redirect uri configured in identity server as one of redirect_uri.

Login.ts

Office.initialize = function () {  
     var settings = {
      authority: "https://xxxx.xxxxx.com/xxxx/v1", 
      client_id: "https://xxx.xxx.com/",
      redirect_uri: "https://localhost:3000/taskpane.html",
      post_logout_redirect_uri: "https://localhost:3000/logout.html", 
      revokeAccessTokenOnSignout: true,      
      response_type: "id_token token",
      scope: "openid read:xxxx read:xxxx",
      state: true,
      filterProtocolClaims: true,  
      loadUserInfo: true,
      nonce:true, 
      clearHashAfterLogin: true,
      automaticSilentRenew: true,     
      silent_redirect_uri: 'https://localhost:3000/silent-refresh.html',      
      monitorsession:true,  
      metadata: {        
        issuer: 'https://xxx.xxx.com/xxx/v1',                    
        authorization_endpoint:  "https://xxx.xxx.com/xxxxx/v1/connect/authorize"                  
       
    }    
    };
    
    var mgr = new Oidc.UserManager(settings);
    mgr.signinRedirect();
    
mgr.events.addAccessTokenExpiring(function(){
    console.log("token expiring...");
}); 

}

silent-refresh.html

<head>
    <title>RefreshToken</title>
    <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
</head>
<body>
    <script type="text/javascript" src=https://cdnjs.cloudflare.com/ajax/libs/oidc-client/1.10.0/oidc-client.js></script>
<script>
    new Oidc.UserManager().signinSilentCallback().then((user)=>
    { consolse.log("silentrenewed");}
    )
        .catch((err) => {
            console.log(err);
        });
        
</script>
</body>

Auth.ts

import { UserManager, WebStorageStateStore } from "oidc-client";

export default class AuthSigninService {
  private userManager: UserManager;

  constructor() {
  
      const settings: any = {
        ..................
        automaticSilentRenew: true,                                        
      accessTokenExpiringNotificationTime: 4,   
        silent_redirect_uri: "https://localhost:3000/taskpane.html",      
        monitorsession:false,  
             };

      this.userManager = new UserManager(settings);
    }
    
    public signin()
    {
        return this.userManager.signinRedirect();
    }  

      
  public async silentRenew() {
    try {
      const user = await this.userManager.signinSilentCallback().then((success) => {
        console.log("silentrenewed");
        console.log(success);
      }
      )
        .catch((err) => {
          console.log(err);
        });

    }
    catch (err) {
      console.log(err);
    }
    } 
}

taskpane.ts

document.getElementById('btnSilent').onclick = SilentRenew;

async function SilentRenew() {

  const auth = new AuthSigninService();
  auth.silentRenew();
   
}
chennaiyan
  • 69
  • 1
  • 6

1 Answers1

1

Possible causes:

  • Something to do with the inline script
  • Maybe the second instance of UserManager also needs to be initialised with settings

WHAT I WOULD TRY

  • On the main window, call await mgr.signInSilent(); to do an 'on demand' silent renewal and see if you get any console.log output.

  • Make the iframe code part of your main app rather than running it inline in an HTML page

SOMETHING TO COMPARE AGAINST

My code sample does iframe silent renewal and the spa code may give you some ideas.

I tend to set the silent renewal URI to the main index.html page, which I find simpler. Then write code like this:

if (window.top === window.self) {

    // If index.html is running on the main window, run the app
    const app = new App();
    app.execute();

} else {
  
    // If index.html is running on an iframe, handle token renewal responses
    const app = new IFrameApp();
    app.execute();

}

Here is my OAuth code by the way.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Thanks for the immediate response Gary. But i could not still get the answer.. Also i tried on index.html as silent redirect page but it is not calling on console. Since based on the googling it is enough to implement below things automaticSilentRenew: true, silent_redirect_uri: 'https://localhost:3000/silent-refresh.html' where it is called signinSilentCallback() method also.... apart from this anything is missing? – chennaiyan Aug 07 '20 at 10:51
  • I would try to trace HTTP requests to see if an outgoing message is being sent, and if so what response the Authorization Server is returning. Could be something like a cookie being dropped, and the AS attempting to render a login page rather than handling prompt=none correctly – Gary Archer Aug 07 '20 at 12:30
  • I have been tracing in Chrome browser network tab but i could not see at any time silent-refresh.html page being called which is the focused issue.. – chennaiyan Aug 07 '20 at 12:51
  • Try setting Log.Level='debug': as in [my code](https://github.com/gary-archer/authguidance.websample.final/blob/master/spa/src/plumbing/oauth/web/trace/oidcLogLevel.ts), then invoking signInSilent() in response to a button click and see if that tells you anything. Feels like OIDC Client Library is throwing an error so you may want to override the signInSilentError event handler. – Gary Archer Aug 07 '20 at 13:11
  • Thanks Gary. I will try and let you know. – chennaiyan Aug 07 '20 at 14:08
  • Hi Gary....I tried the sample code Auth.ts and taskpane.ts which are attached in main request...in that i am getting success response as 'undefined' ... Also trying to put oidc.log which is not sure how to implement with constructor code which am still looking into put Log.....Any thought? – chennaiyan Aug 09 '20 at 17:15
  • Have you had a chance look into this? – chennaiyan Aug 11 '20 at 12:41
  • Put yourself in my shoes - I don't know how to run your code do I? If you can give me a GitHub repo or something I could try to run it. Otherwise I'm lacking the tools to do the job. – Gary Archer Aug 11 '20 at 13:02
  • Somewhat i was able to invoke signinSilent on button click with that silent-refresh.html page called but still am checking why it is not firing automatically. Anyhow when trying to invoke signinSilent on button click it is throwing below exception in catch block. metadata does not contain property jwks_uri Does it mean any configuration to be implement on IDSRV side? Can you please confirm on this in details. I referred the specs it saying those are signingKeys. – chennaiyan Aug 13 '20 at 12:28
  • Hi team, anyone can help? – chennaiyan Aug 15 '20 at 03:40