2
  • client type: Spa
  • grant type: implicit or code(pkce)

As a user, I want to be able to get silently authenticated if I have already logged with my identity provider. If not stay on the client side just like a guest user. And if I want to login to the client I should be able to get authenticated manually through the login page.

This has both manual sign-in and automatic sign-in scenarios. How would you handle such cases in Open ID Connect?

By adding the prompt=none in client settings will silently get a new token if user has a valid session. But if not I want the user to be able to manually authenticate through the login page upon his/her wish.

If I set prompt=none this will never have any user interaction such as authentication.

tags: Silent authentication oidc, automatic login, SSO

Charitha Goonewardena
  • 4,418
  • 2
  • 36
  • 38

2 Answers2

4

It is quite a deep subject, and the flow typically works like this:

CLASSIC OIDC SOLUTION

  • User is redirected for each SPA
  • If signed in already at the IDP there is no login prompt
  • OAuth state is stored in local storage (though it is recommended to only store actual tokens in memory)
  • When an access token expires (or before) do an iframe token renewal with prompt=none
  • When a new browser tab is opened do an iframe token renewal to get tokens for that tab - to avoid a full redirect
  • When the user logs out remove OAuth state from local storage

The most widely used library is OIDC Client which will do a lot of the hard work for you. See also my blog post + code sample for how this looks visually.

PROBLEM AREAS

It is worth being aware also that iframe silent renewal does not work by default in the Safari browser in 2020. Some notes on this here.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Ohhhh. Thanks for the problem areas you mentioned. Is there any workaround for that. – Power Star Apr 17 '21 at 21:56
  • Also I am unable to use refresh_token grant flow, as our identity server require client id and secret auth header in the request. But OIDC not sending it as having secret in client side not adviced. – Power Star Apr 17 '21 at 22:02
0

Alternatively, you can use signinSilent(). I have used it on my login page ngOnInit (since AuthGuard will anyway redirect the user to login, I thought it will be the perfect place in my scenario).

// login.ts
ngOnInit(): void {
    this.authService.signinSilent().then(_ => {}).catch(_ => {});
}

// authService
public signinSilent() {
    return this.userManager.signinSilent();
}

signinSilent method will return the user object if user already has a valid session with idp. else it will throw an error, probably login_required.

Charitha Goonewardena
  • 4,418
  • 2
  • 36
  • 38