Silent Authorization Code Flow instead of Refresh

[faehne]

We have an interesting requirement in our company for extending the Login time.

In our case it is forbidden to get new access_tokens by refresh token.
Instead we have to use a full authorization code flow every time nearly the expiry of the token.

It is garanteed, that the auth code flow is complete transparent.
So we have to do the flow in "silent mode" using an iframe.

That's why we are asking/searching for a solution in your lib.
Alternativly we will do a fork and extend the lib with our implementation.

kind regards
Holger

[arey]

Hi,

I have a similar issue. For security issue, our IdP just removed the refresh token generation for the authorization code flow with PKCE.
We now have to generate a new token trough a full authorization code flow.

@faehne have you reached to add some custom code to do the flow in "silent mode" using an iframe?

Thanks

[faehne]

Im not sure... but it should be possible to use the setupSilentRefreshEventListener (via silentRefresh) and also setup to code flow. Im not able to test this right now. I will write comment if i figured out ;)

An alternative would be the popup feature:
#1382

  /**
   * This method exists for backwards compatibility.
   * {@link OAuthService#initLoginFlowInPopup} handles both code
   * and implicit flows.
   */
  public initImplicitFlowInPopup...