-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Silent Renew Process - Storage Access APIs - PoC Working in Firefox #1735
Comments
@pamapa could you please quickly have a look if we can change how the IFrame created please ? We really need to change the IFrame of silent_renew so that It can call Storage Access API from Browser :( especially |
The additional A different approach: |
Yet another approach (which already works): oidc-client-ts/src/UserManager.ts Lines 302 to 357 in 4be12a7
|
Hello @pamapa ,
With 3rd parties cookie phase out problem happened in Firefox for long time and probably (going) to happen in Chrome early next year I tried to implement an PoC which can resolve the problem. I really need this solution implemented in our library because my PoC include patching javascript code directly therefore I need your support to review and help to deliver the code.
The 3rd party cookie phase out is heavily effect our customers which are using Firefox browser and the issue is really getting serious. it will soon become a show stopper.
Here is my PoC flows and remaining issue:
Environment setup:
Problems: keycloak_session (keyclock_session_legacy) is required to know the user is already login so that IDP can make renew token.
Firefox behavior:
Chrome behavior: 3rd party cookie access is still possible therefore the silent renew process can still return new token.
Solution proposal and already proved via PoC:
Create an HTML page contains:
document.requestStorageAccess()
The HTML will be loaded at startup of your application within an IFrame (runs on https://localhost:3000)
The HTML must be return from the same domain as your IDP (keycloak is running) which is https://local.tuando.com
The idea is to asking for Storage Access for IDP domain before the actual IFrame for silent renew is created.
This IFrame will be shown to the end user, asking for permission by require user to click on button to request storage access.
Next time, the actual Silent Renew IFrame created (by oidc-client-ts) the IDP domain already have storage access so IDP cookies will be sent together with silent renew URLs.
Create another HTML contains:
javascript function to asking for permission access Storage Access API. (assume it always work due to the first IFrame)
When having access post a message to parent window application (runs in https://localhost:3000 )
Application listen to message allow access storage.
Application set redirect url via
this._window.postMessage({redirectUrl: params.url}, "*");
The HTML (runs within IFrame) has message listener and execute
window.location.href = event.data.redirectUrl;
Long story short:
Things need to be done:
Complete flow of End User:
Remaining error: after successfully renew error is always shown
[Event('Window navigation aborted')] raise: Error: IFrame removed from DOM
@pamapa
If you need any information from my side please let me know, I will answer as soon as possible.
P/S: I'm sorry for mentioning you directly but this is really important for me and I really need your help.
The text was updated successfully, but these errors were encountered: