Refresh Token without Service Worker but with HTTP Only Cookies

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).

MIT License

601 stars 161 forks source link

Refresh Token without Service Worker but with HTTP Only Cookies #1357

Open bogdanbz93 opened 7 months ago

bogdanbz93 commented 7 months ago

Hi!

I may be new to this domain. My API server sends the refresh_token as an http only cookie. Since it doesn't come directly in the response, how can I refresh the token by sending it back?

Thanks!

guillaume-chervet commented 7 months ago

hi @bogdanbz93 ,

You need to use silent signin : https://github.com/AxaFrance/oidc-client/blob/main/FAQ.md#condition-to-make-silent-signing-work and do not ask for scope offline_access which bring refresh_token.

In 2024 it will works well only if your OIDC provider is under the same Domain than your application.

bogdanbz93 commented 7 months ago

Thanks @guillaume-chervet,

Hmm, but how can I insert credentials: "include" to get my Cookie from my token endpoint, first?