PKCE and offline-access refreshtoken vs silentrefresh with cookie

[Anderman]

PKCE and offline-access

The readme give an example off PKCE but it uses refresh tokens which is not recommend for web apps.

It is also missing useSilentRefresh:true
and this.oauthService.setupAutomaticSilentRefresh();

Both senarios work but I thought the refresh token has some security issues see

Can the document be clear about both senarios?

[jeroenheijmans]

Thx for raising this issue! For sure, the readme can use a touch up.

It's not that bad though. Setting up automated silent refresh could be part of the tutorial, but it's also perhaps slightly more of an advanced scenario (esp. if you use the iframe approach, as it requires also setting up the html file and so forth). So not having it in the basic, default readme might not be bad after all?

The "security issue" you've linked was mine, but it was not so much a security problem. Just that the iframe approach didn't use to work with Code Flow. It does now howver (just closed the issue).

As for refresh tokens themselves... they're not (anymore?) entirely out of the question nowadays, although I would argue they require additional mitigation.

My suggestion would be to touch up the readme, but leave (slightly) more advanced scenarios to additional documentation and external examples, and update those with the suggestions you're aiming for?

[Anderman]

For me it would me more clear that document is also for code flow with pkce. This document says don't use refresh_token. But this SO says it doesn't matter.
So I was a little confused

[jeroenheijmans]

As always: "it depends". You'll have to look at your specific situation to see what level of security you want, and what mitigations you are willing and able to build.

[Anderman]

Thx, for me it is clear now. If you new to code flow with PKCE it is not so clear that refresh_token and silentRefresh accessToken are both valid options.