Using OAuth2 Implicit Flow(IdentityServer4), do users have to re-input password every expiration of access token?

5
votes

I need to implement Authorization/Authentication for an Angular2 Client Side WebApp to talk to a Resource Server(WebApi).

I am investigating IdentiyServer4 and choosing a Grant Type / Flow. HERE

  1. Resource Owner Password Credentials Grant(What we use now.) "This is so called “non-interactive” authentication and is generally not recommended".
  2. Authorization Code & Hybrid <- Solution to Implicit Flow not allowing Refresh Tokens.(Seems fairly complex to me. But is this the way to go?)
  3. Implicit Flow - Recommended for SPA's everywhere I look. But does not support Refresh Tokens..

With Implicit Flow, how do I not require the user of the SPA to have to type in a password every say 3600 sec? A recommended access_token lifetime. I presume there is something I do not understand about getting the new authorization URL.

Resources I have looked at.

Thanks for the answer Scott. I have some reading to do.

1
oauth-2.0openid-connectidentityserver4

1 Answers

3
votes

When using the Implicit flow you can still use your own cookie lifetimes (ie longer than 3600 seconds). To get around access tokens expiring, you can use the fact that the user is still authenticated within IdentityServer to fetch another access token, without the need for refresh tokens.

The IdentityModel OpenID Connect JS Client does this by firing an event just before access token expiration and using an iframe to make a fresh authentication request to IdentityServer. If the user is still logged into IdentityServer (which has a different, typically longer lived cookie than your own client application), then IdentityServer sends back fresh tokens just like a normal authentication request. This happens in the background with no interaction from the user and no interruption.

Check out the automaticSilentRenew functionality in this library for implementation specifics.

By the way, the Implicit, Authorization Code and Hybrid grant types, in the case of IdentityServer, are OpenID Connect grant types. Resources referring to the OAuth versions may not apply to your use case.