SilenRefresh issue with Google Oauth: Refused to display https://accounts.google[...] in a frame #364
Comments
|
Do you have any suggestion on what could be done on this side to fix this? I mean: if Google prevents cross origin iframe loads, then there isn't much that can be done about that on the library side, right? |
|
Not really, that is my problem ;) The behaviour right now is that the client just continues to send an invalid token in the header which the server applications cannot use because it has timed out. Actually Google has a refresh mechanism, documented here: Maybe the original token request needs to specifically request offline access for Google token?
|
|
Offline scope is something you could request, but I thought that was more for server side / API applications? Your link also goes to the docs about API clients, not web/js clients. Either way I don't think angular-oauth2-oidc supports Authorization Code flow, only Implicit and Resource Owner Password flows. You could also check out #115 where it is claimed (a while ago, so the same-origin thing might've come after that? not sure) that it should work as expected. I suggest looking at that other issue, and if you still run into problems try to make a minimal but complete repro for us, possibly trying Stack Overflow first where there's more people answering questions. |
|
Yeah, I know :\ I used the information from #115 to get Google Oauth to run :) |
|
You can |
|
I will try with 'token_expired' tomorrow, I did not see it happen on the console via logging |
|
Try using this gist for extra logging if you aren't already. In addition, try lowering the |
|
Yeah, that is what I am doing :) So I work around the issue for now by using timeoutFactor 1.0 and when I get a 'token_expires' event I will logout the user. |
|
My workaround for now is this (within the event handler for the status events): |
emmm..., I have the same problem as ! |
|
Reading back it seems there's not too much left to do within this library? Let us know if we should reopen the issue, if there's still something else to be done here.... |
|
I am using am internal ForgeRoch server and implicit flow, but I got the same error and therefor I am not able to do silent renewals. Is there a way to do the renewal in a popup window? If not, this could be a feature request. |
Google seems to set the X-Frame-Options header to "sameorigin", this leads to the following error during silent refresh:
To reproduce just use Google for OAuth and setup silent refresh after logging in via their provider:
this.oauthService.events.subscribe(e => { if (e instanceof OAuthSuccessEvent && e.type === 'token_received') { this.oauthService.setupAutomaticSilentRefresh(); } });Settings for AuthConfig:
issuer: 'https://accounts.google.com',
redirectUri: window.location.origin,
silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html',
clientId: '',
strictDiscoveryDocumentValidation: false,
scope: 'openid profile email',
showDebugInformation: true,
timeoutFactor: 0.1,
clientId must contain your own id, ofcourse
The text was updated successfully, but these errors were encountered: