Consider dropping silent-refresh/iframe by using refresh endpoint

[beltschatsar]

Hi,

Would you consider a PR that would drop silent-refresh using iframe by replacing it by calling refresh endpoint ?

This would add following benefits:

• Better handling of historic issues with iframe/cookies involving different domain for backend app and AS
• Simplify codebase by reducing code (no more asset/html/silent-refresh)
• Add flexibility by enabling some use case (ex: http interceptor handling token renewal when token has expired)

Thanks!

[jeroenheijmans]

Hmmm, interesting idea, but I'd have to think about it for a bit. I see both pro's and cons. In addition to what you mention:

• Some folks might still want the iframe variant, and since that is harder to achieve the sample is of extra value to them (it's easier to go from the current sample down to non-iframe, than the other way around)
• I presume you mean using offline_access style refresh tokens instead, right? They are indeed a possibility, but they also come with certain extra attack vectors and security considerations that in their own right require attention.

I still like the idea though, and we could also point to a tag or a branch that still has the iframe variant.

I reckon the main question now would be if I personally would recommend refresh tokens over iframe-based solutions as a default option. Like I said, I have to chew on that for a bit.

Thanks in any case for opening this suggestion/issue!

[beltschatsar]

Just to note that offline_access was not required for me in code flow with PKCE. This discussion seems to raise that as well: manfredsteyer/angular-oauth2-oidc#1241 .
My understanding is that if I was in a use-case where I should do things in background (ex: in service worker), then I would have to ask for offline_access for this specific case. At that point, I agree with you when you say "extra attack vectors and security considerations".

[jeroenheijmans]

Just to note that offline_access was not required for me in code flow with PKCE.

Interesting! I commented in that thread as well, and after my comment I had not yet seen any follow up from community members showing how to use the angular-oauth2-oidc library with refresh tokens but without offline_access. You seem to mention you succeeded?

Thought about it, and I would indeed be curious to see a PR for this setup. I would accept it (if it works well) in one way or another, though I might choose to pull the code into a special branch and document it as such. Would have to see it work to decide though.

Note that I rely strongly on the Duende Demo Identity server for both manual test runs (npm run start and the SSL variant), and npm run e2e runs. (I'm mentioning because the thread you linked speaks mostly of Keycloak, and I'm not sure if that changes things).