2

We have 3 apps: Client (React/SPA), API (ASP.NET CORE 3.1), and Auth (ASP.NET CORE 3.1 with IdentityServer 4).

Fairly recently, the app is starting to constantly do what appears to be a silent renew. As soon as the client app loads, I can see in the network tab that it immediately hits the authorize endpoint on the identity server, then I see the silent renew page load in an iframe on the app, then it hits the token endpoint on the identity server, then userinfo, and it just keeps cycling through this sequence - just never stops. Over an over. We use redux-oidc, which runs over oidc-client, and I can see within the console that this isn't being done or handled by redux-oidc. I can also see when handling events on the usermnanager that my token isn't expiring, so it doesn't appear to be kicking this off either. We have on our identity server samesite=none with the secure attribute too for cookies that come out of there as well, as I thought that might be the problem, but this is still occurring.

Is there something else we should be looking at? And why would this have all of a sudden recently started happening - we even backed our code out to a version from over a month ago, and the problem still occurs, so we're not aware of any code changes we did that could cause this as this just started happening within the last week I believe.

user1368182
  • 423
  • 7
  • 18
  • 1
    can you post the IdSvr settings, client config on IdSvr and spa app client settings? can you verify there was no code change on IdSvr, client and also DB if you use DB? – nahidf Sep 02 '20 at 21:30
  • Hi! I just figured this out a minute ago - it turns out that turning on HttpOnly for all my cookie policy on the identity server was somehow causing this (HttpOnly = Microsoft.AspNetCore.CookiePolicy.HttpOnlyPolicy.Always). When I turned that off, this problem stopped happening. But I'm not yet sure why this is, as I understand that HttpOnly is recommended to flag the cookies, so if you have any insight, that would be much appreciated. – user1368182 Sep 02 '20 at 21:33

1 Answers1

2

HttpOnly is a flag added to cookies that tell the browser not to display the cookie through client-side scripts. When you set a cookie with the HttpOnly flag, it informs the browser that this special cookie should only be accessed by the server.

But that cookie is required by the OIDC session management spec for JS/SPA clients. If you change it, you will break those types of clients. This is by design, check the spec https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification

So you are good as is no need to set HttpOnly to true.

nahidf
  • 2,260
  • 1
  • 15
  • 22
  • You can find some more interactions from IS founder in here: https://github.com/IdentityServer/IdentityServer3/issues/3512 – MuKa Mar 14 '23 at 14:38