Reputation: 31835
How do I detect ADFS SSO expiration when performing silent refresh with OIDC implicit flow?
I am authenticating my users against an ADFS with my Angular app, using OIDC implicit flow.
The ADFS SSO session duration is 8h and it provides tokens with a 1h duration.
I want to refresh the tokens during the whole SSO session, and trigger a redirect on the ADFS web form in case of SSO session expiration.
My problem is that when the SSO session expires and my web page tries to perform a silent refresh, the iframe eventually gets redirected to an URL like https://adfs.mycompany.com/adfs/oauth2/authorize/wia?response_type=id_token... which asks for Windows credentials through the www-authenticate: Negotiate and www-authenticate: NTLM headers. My users don't expect that, and close the popup, then my Angular library is unable to get any information on what happened because the /adfs/oauth2/authorize/wia returns 401 without redirecting the iframe to the local HTML page which emits JavaScript events to the parent web page.
Eventually, my users have an expired token and I can't do anything about it, because I am not aware that the silent refresh failed.
How do I solve this?
Upvotes: 0
Views: 58
Answers (0)
Related Questions
- Refresh token using Implicit flow. OpenIdDict
- RESTful API Authentication and SSO with OAuth2 / OIDC
- Why is there an "Authorization Code" flow in OAuth2 when "Implicit" flow works so well?
- Silent refresh is not working in angular oauth oidc
- How to get expiration time for silent token in Oidc-Client
- Refresh/ Renew ADFS Security Token after expiration Time for a relying party
- OpenID Connect Authorization Code Flow and PKCE with silent refresh