Silent Refresh Still Works After AccessToken Expiry
Question
I've got an ID4 authentication server working well with an Angular app that is implementing angular-oauth2-oidc with SilentRefresh and a PCKE Authorisation flow.
Everything is working great - the ID4 is configured to serve AccessTokens with a 5 minute lifetime and the Angular app will silently refresh the token every minute (will likely change to refresh with 0.75 time elapsed). The problem I am finding however, is that I can close the browser having logged in - then open it again on the site 10 minutes later (after the original AccessToken has expired without being refreshed) - however the Silent Refresh kicks in a refreshes the token and the user remains logged in. This is a significant security hole.
My client side configuration looks like this:
{
issuer: config.authServerUrl,
clientId: '<redacted>', // The "Auth Code + PKCE" client
responseType: 'code',
redirectUri: window.location.origin,
silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html',
postLogoutRedirectUri: window.location.origin,
scope: 'openid profile email api',
useSilentRefresh: true, // Needed for Code Flow to suggest using iframe-based refreshes
silentRefreshTimeout: 60000, // For faster testing
sessionChecksEnabled: true,
showDebugInformation: !config.production, // Also requires enabling "Verbose" level in devtools
clearHashAfterLogin: false,
nonceStateSeparator : 'semicolon', // Real semicolon gets mangled by IdentityServer's URI encoding
}
and My ID4 configuration looks like this:
{
"Enabled": true,
"ClientId": "<redacted>",
"ClientName": "<redacted>",
"ClientSecrets": [ { "Value": "<redacted>" } ],
"AccessTokenLifetime": "300",
"AllowedGrantTypes": [ "authorization_code" ],
"AllowedScopes": [ "openid", "profile", "email", "api" ],
"AllowedCorsOrigins": [
"http://localhost:4200"
],
"PostLogoutRedirectUris": [
"http://localhost:4200"
],
"RedirectUris": [
"http://localhost:4200",
"http://localhost:4200/silent-refresh.html"
]
}
I would like the behaviour to be that the silent refresh will only work if I open the browser again on the site, within the AccessToken's expiry time - ie if I open after the AccessToken has expired - then I can't refresh and need to log in.
It seems that the Silent Refresh doesn't use RefreshTokens as the scopes presented on login don't include offline_access and I don't have AllowOfflineAccess set to true on the ID4 side. Are refresh tokens being used here - is the configuration implied in some way - if so, why can you allow a RefreshTokens lifetime to be longer than the AccessTokens?
1 answers
solution1
1 2021-02-03 07:39:36
One thought is that your IdentityServer sets its own "session" cookie during your initial login and that one is used allow the application to silently reauthenticate and get a new access token. You can tweak the lifetime of this cookie from IdentityServer.
I would verify this behaviour using a proxy like Fiddler .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.