0
votes

Recently I have written a Identity provider with openid connect. I have expose endpoint both token and oauth flow.

I know that we cannot provide refresh token to revoke either of the token in case of SPA. So what i have did is when my access token expired i always called the IDP server and its refresh my token, but the problem i am facing is the authentication is not placed silently at background, for sometimes a flash screen appear and my callback url called where i save the token again.

So is there any way i can revoke the access token without user knowing.

One way is to call identity provider after my token expires and refresh my token at background, but still if at the same time if user try to call api with old one he receives 401.

1

1 Answers

0
votes

For an SPA the most mainstream solution is to use the oidc-client library to do token renewal for you - I think that's what you're asking?

The simplest revocation solution is to use short lived tokens - 60 minutes is common

It depends on your Authorization Server but a good starting point is to understand the prompt=none parameter - my SPA write up might help: https://authguidance.com/2017/10/24/user-sessions-and-token-renewal/

Some