Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add iframe attribute sandbox to allow access to local storage #1775

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

add iframe attribute sandbox to allow access to local storage #1775

wants to merge 1 commit into from

Conversation

pamapa
Copy link
Member

@pamapa pamapa commented Dec 10, 2024
edited
Loading

Closes/fixes #1735

Checklist

  • This PR makes changes to the public API
  • I have included links for closing relevant issue numbers

@pamapa pamapa self-assigned this Dec 10, 2024
@pamapa
Copy link
Member Author

pamapa commented Dec 10, 2024

@deanmaster Does this make it work for you?

@pamapa
Copy link
Member Author

pamapa commented Dec 10, 2024

@thejurassic Does this fix your signin popup too?

@deanmaster
Copy link

deanmaster commented Dec 10, 2024
edited
Loading

hi @pamapa, the iframe setting is enough, but in order to make it works we need to be able to set the place holder iframe (asking Storage Access API) before the actual silent renew url called (in the same iframe). I believe the Iframe need and ID as well for easier access.

@pamapa
Copy link
Member Author

pamapa commented Dec 11, 2024

@deanmaster Thanks for clarification. I will try to put something together of your patch you posted within #1735. My company recently switched to Entra ID and this IDP works with a refresh token and trusted device concept, thus i can no longer test this code path myself...

@deanmaster
Copy link

thank you @pamapa the idea of using Refresh Token and trusted device is a good idea. But I don't know how scale it could be, with a wide range of users across the world how do we do trusted device implement ? Could you point me to specification ?

@pamapa pamapa marked this pull request as draft December 12, 2024 07:57
@pamapa
Copy link
Member Author

pamapa commented Dec 12, 2024

thank you @pamapa the idea of using Refresh Token and trusted device is a good idea. But I don't know how scale it could be, with a wide range of users across the world how do we do trusted device implement ? Could you point me to specification ?

Trusted device is a concept implemented on the server side (IdP), i am not aware of a specification. When you search the internet for "trusted device" you can find some documentations from most IdPs...

@deanmaster
Copy link

deanmaster commented Dec 12, 2024
edited
Loading

thank you @pamapa the idea of using Refresh Token and trusted device is a good idea. But I don't know how scale it could be, with a wide range of users across the world how do we do trusted device implement ? Could you point me to specification ?

Trusted device is a concept implemented on the server side (IdP), i am not aware of a specification. When you search the internet for "trusted device" you can find some documentations from most IdPs...

Thank you, I need to evaluate the Refresh Token flow if it's "safe" to use due to long expired time of it. Do you have best practice to implement renew based on Refresh Token (ideally specification) ? Is this what you're using https://github.com/authts/oidc-client-ts/blob/main/docs/protocols/refresh-token-grant.md I need to discuss with our security expert.

@pamapa
Copy link
Member Author

pamapa commented Dec 16, 2024

thank you @pamapa the idea of using Refresh Token and trusted device is a good idea. But I don't know how scale it could be, with a wide range of users across the world how do we do trusted device implement ? Could you point me to specification ?

Trusted device is a concept implemented on the server side (IdP), i am not aware of a specification. When you search the internet for "trusted device" you can find some documentations from most IdPs...

Thank you, I need to evaluate the Refresh Token flow if it's "safe" to use due to long expired time of it. Do you have best practice to implement renew based on Refresh Token (ideally specification) ? Is this what you're using https://github.com/authts/oidc-client-ts/blob/main/docs/protocols/refresh-token-grant.md I need to discuss with our security expert.

yes, in this library there is a switch in signinSilent. See https://github.com/authts/oidc-client-ts/blob/main/src/UserManager.ts#L302-L357

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@pamapa pamapa

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Silent Renew Process - Storage Access APIs - PoC Working in Firefox
2 participants
@pamapa @deanmaster