如何使用 oauth2 静默登录用户？

Question

I am building a web app for a booking platform and I am using oauth2 to use their API and authentificate users. My app is embedded in an other website named here 'X' that I am not in control. When the user click on my app, it loads https://localhost/?_account_id=12 in an iframe where _account_id=12 is its own account id in X website.

• I am using the oauth2 authorization code flow so the user approves my app.
• I am storing securely the refresh token provided by the authorization server.
• I am storing in session the account_id parameter.
• The authorization server doesn't support the famous prompt=none .
• This is the first time I use oauth2 so maybe I didn't understand correctly how oauth2 works.

Since I can't only rely on the _account_id parameter because of security, I need to authentificate the user each time it connects to my app. Doing so, each time the session expires, the app prompted the user to approve my app.

With other apps available in X, I am never prompted to re-approve the apps. So when analysing them, the network developer tool of my browser lists this each time I connect to other apps :

204 https://other_app_provider/fr/admin?_account_id=12

302 https://other_app_provider/auth/?_account_id=12

302 https://authorization_server/oauth/authorize?_account_id=12&client_id={CLIENT_ID}&redirect_uri={REDIRECT_URI}&response_type=code&scope={SCOPES}&state={STATE}

302 https://other_app_provider/auth/bookingsync/callback?code={CODE}&state={STATE}

200 https://other_app_provider/admin

I repeat that there is no approval screen between the authorization and the callback.

My question : How to authentificate the user silently using the authorization code flow or the implicit flow ? In other terms, how to imitate the behavior described above ?

Thank you for answering !

Answer 1

Could I ask a few questions first - to see if I'm understanding the scenario:

• Does the user login to the host app X first and your app then gets loaded as a plug-in?

• Is this a federation scenario where different companies build the host and plug-in?

• Do the host and plug-in use the same authorization server or are they different login systems with different user credentials.

Avoiding the consent prompt may be as simple as switching this setting off in the OAuth Client entry for your app in the Authorizatiom Server

It is worth being aware that OAuth logins in an iframe are often blocked due toclickjacking concerns and a more reliable option is to use a pop-up window for plug-in logins.

In some scenarios it can be very hard or impossible to achieve the desired behaviour of making the solution feel like a single integrated UI - but your requirement is becoming very common.

Answer 2

I've found the solution :

There was an option account_id in X authorization server not well documented :

Pre-Select The Account To Authorize

When calling your Admin URL, we pass the parameter _account_id . The value of this parameter can be used as the account_id parameter during the authorization process. Doing so will pre-select the account to authorize when using the Authorization Code Flow or Implicit Flow.

So I can imitate the behavior described in the question by passing account_id parameter in the authorization url.

Now, I understand the term Pre-Select by :

Check if the account owner is connected to the host app, select its account and silently authentificate the account owner in the app, if it's an already approved account.

If I didn't see it in the network developer tool, it was because they were provided by X, so maybe X use cookie/session to Pre-Select the account to authorize. I had to install third-party apps to see the account_id parameter in the authorization url.

Thank you for your answer !