Hi all, For a browser-based app, we try to follow the recommendations set in draft- ietf-oauth-browser-based-apps-01. This does allow us to create a secure OAuth 2.0 browser-based application, but at the moment it comes at a cost wrt. user experience when the access token expires. Our current solution forces us to redirect the user to the authorization server for a new authorization code. This will destroy most state the browser-based app has, causing the user to loose data. We are looking for a way to get a new access token in a secure way without disrupting the user.
As a refresh token is not issued to the app (as it should be), the application is forced to do a front-channel re-authentication for an authorization code. We are thinking of letting this front-channel communication happen in a hidden iframe. Naturally, this can only be done if no user interaction is required, hence we want to use the OIDC prompt=none. Is this a viable way of doing this re-authentication? Can it hurt to open up our authorization server for non- interactive authorization requests inside an iframe? At the moment we do not allow iframes at all. Maybe anybody knows a different way of achieving this? As I cannot believe we are the only ones facing this issue, maybe a recommendation can be put in the spec? Best regards, Emond Papegaaij _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
