Oauth2 Implicit Flow with single-page-app refreshing access tokens

Question

I am using Thinktecture AuthorizationServer (AS) and it is working great.

I would like to write a native javascript single page app which can call a WebAPI directly, how

Answer 1

Not sure if I understand your question but,

I would like to write a native javascript single page app which can call a WebAPI directly, however implicit flow does not provide a refresh token.

Summarize facts,

refresh token is sometimes used to be a part of A: Authorization Grant

https://tools.ietf.org/html/rfc6749#section-1.5

and as you said in implicit flow you dont get back refresh token, but only in Authorization Grant part

https://tools.ietf.org/html/rfc6749#section-4.2.2

so you can get back refresh token when issuing access token (refresh tokens are always optional)

https://tools.ietf.org/html/rfc6749#section-5.1

With my SPA (untrusted app), I don't have a refresh-token only an access token. So instead I:

1) Ensure user has logged in and clicked remember decision (otherwise iframe wont work)

2) Call WebAPI, if 401 response try and get a new token by the below steps...

3) Have a hidden iframe on the page, which I will set the URL to get a new access-token from the Authorisation Server.

4) Get the new token from the iframe's hash-fragment, then store this in the SPA and use for all future WebAPI requests.

1) SPA(you) have no idea if user selected remember decision. Its in AS direction and should be complete blackbox. Skip this step.

2) You can try to use access token and wait for result, always.

3) If access token has expired and you dont have refresh token, you still can create hidden iframe and and try to get new access token.

4) Lets assume your AS provide option to remember decision and wont change it in future, then: your iframe will get new access token without user interaction, then you will get result back in some unknown time limit. Result can be checked by setInterval for read specific cookie or iframe postmessage. If you dont get back data in time limit, then one from following scenarios occured:

• lag, AS is slow, connection is slow or time limit is too tight
• user didnt select remember decision

In this case:

5) show iframe with login

I consider scenario above as good practise if AS doesnt provide refresh tokens, but I also guess every AS like that wont provide remember option as well.

StackOverflow <---> Google scenario (I can only guess)

1) User login, authorization request occured

2) User logs in, SO gets access token

3) SO tries to use access token

4) SO gets back result + refresh token

5) SO saves refresh token

6) SO has permanent access to users Google account