Silent refresh of id-token and accesstoken after expiry

This topic has 2 replies, 2 voices, and was last updated 3 years, 3 months ago by Mijathi.

  • Author
    Posts
  • #19035
     Mijathi
    Participant

    Hello,

    We are building a single page application which will, of course, talk to secured API’s.
    After some serious reading around, we found that OpenID-connect – implicit grant might be the most secure way to go.

    One of the characteristics of this flow is that there is no client-secret – fine – but also no refresh-token. The latter meaning that a re-authentication is required after the expiration of the JWT token.

    Is there a way to make this a silent operation in which the user doesn’t have to authenticate again? The use-case is simply if a user remains active beyond the configured lifetime of his session, the session should be extended.

    #19036
     Neil Madden
    Participant

    You can use prompt=none (http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) if the user still has a valid OpenAM session and has saved consent for your application.

    #19048
     Mijathi
    Participant

    Hi,

    Thanks, exactly what I was looking for.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2021 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?