Skip to content

Enable scope updates with iframe flow. #3040

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

Enable scope updates with iframe flow. #3040

wants to merge 1 commit into from

Conversation

Hyperkid123
Copy link
Contributor

Description

An experiment that enables session scope expansion without a full browser refresh. The method uses the IFrame OIDC flow.

Changes

Since the iframe flow was not used, we had some misconfiguration of the OIDC client which surfaced once the flow was "forced".

  • removed the different output path of the silent-check-sso.html between dev and prod build
  • fix the actual silent-check-sso.html post message payload (it was still using the keycloack-js signature)
  • reAuthWithScopes will try the iframe flow and fallbacks to signInRedirect if it fails
  • useUserSSOScopes is now using reAuthWithScopes instead of the auth.login directly

Caveats

The OIDC client we use will ignore the iframe flow if a refresh_token was provided. This is ok unless we want the scopes to be updated. There is no supported way of disabling the refresh_token refresh unless the refresh_token is disabled directly in the KC settings. It's not something we want.

However, we can patch the condition in the node_modules and disable it via global variable (simplest possible change). We can leverage https://github.com/ds300/patch-package to do so. Ideally, we would try to work with the client maintainers to find a proper solution. But if we decide to accept this change, we at least can do so before we manage to update the client code.

@Hyperkid123 Hyperkid123 requested a review from a team March 11, 2025 10:21
@florkbr
Copy link
Contributor

florkbr commented Mar 21, 2025

@Hyperkid123 have we heard back from the maintainer of this package on contributing an enhancement?

@florkbr florkbr mentioned this pull request Mar 21, 2025
Merged
@Hyperkid123
Copy link
Contributor Author

@florkbr not yet.

@ryelo ryelo added the wip work in progress label Apr 16, 2025
@Hyperkid123
Copy link
Contributor Author

We have a positive response from the maintainers upstream. I will open a PR and see what thye think about it:
authts/oidc-client-ts#1890 (comment)

@Hyperkid123 Hyperkid123 force-pushed the patch-sso-flow branch 3 times, most recently from d3866e2 to afa2a50 Compare July 11, 2025 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryelo ryelo Awaiting requested review from ryelo ryelo will be requested when the pull request is marked ready for review ryelo is a code owner

@karelhala karelhala Awaiting requested review from karelhala karelhala will be requested when the pull request is marked ready for review karelhala is a code owner

@florkbr florkbr Awaiting requested review from florkbr florkbr will be requested when the pull request is marked ready for review florkbr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
wip work in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Hyperkid123 @florkbr @ryelo