Support for Code Flow PKCE with Refresh tokens

[ghost]

As far as I see, the oidc-client-js library supports only silent renewal with a silent renew callback URL. Is there a way to make it work with refresh token mechanism? If not, are there any plans to support it in the future?

[brockallen]

It supports refresh tokens and renewal already.

[ghost]

It supports refresh tokens and renewal already.

Cool, how can we configure to use refresh token? I don't see that in the documentation.

[brockallen]

Request offline_access as a scope, as per the spec. https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess

[ghost]

@brockallen Perfect, thanks a lot. It works when using offline_access scope. 🎉

Could you please mention it in the Wiki documentation? That would be helpful for other developers too.

[brockallen]

You know refresh tokens in the browser are not really recommended, though, right?

https://pragmaticwebsecurity.com/talks/xssoauth.html

[ghost]

That's what I thought at first. But recently, Auth0 recommends refresh token rotation as more secure than silent renewal with iframe.

See https://auth0.com/docs/tokens/refresh-tokens#for-single-page-apps

[brockallen]

Did you watch the video above?

[ghost]

I just watched the video. Thanks for sharing. I understand the attacking vectors on refresh token rotation now.

Could you please explain how silent renewal with iFrame is still better than refresh token rotation? Is silent renewal with iFrame not vulnerable to XSS?

[marwalsch]

@keth-dev Were you able to get enlightened on that? I was wondering about the same. From what I understand from the video there is no way to avoid browser vulnerabilities aside from using BFF, which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

[brockallen]

which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

The difference is the amount of damage in what amount of time. A leaked refresh token will allow an attacker much longer and potentially infinite time if there's no absolute limit on the RT.

[brockallen]

which essentially means once someone busts your SPA with XSRF it doesn't really matter whether you use refresh token rotation or silent renewal.

The difference is the amount of damage in what amount of time. A leaked refresh token will allow an attacker much longer and potentially infinite time if there's no absolute limit on the RT.

The BFF approach we suggest (if you're using ASP.NET) is this one: https://blog.duendesoftware.com/posts/20210326_bff/

[marwalsch]

@brockallen I see, but once the length of sessions kept with the ID provider for silent renewal surpasses refresh token lifetime it should be virtually the same if I am not mistaken.