Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add silent auth support #11

Open
DarkoKukovec opened this issue Sep 6, 2023 · 1 comment
Open

Add silent auth support #11

DarkoKukovec opened this issue Sep 6, 2023 · 1 comment
Assignees
@DarkoKukovec
Labels
enhancement New feature or request

Comments

@DarkoKukovec
Copy link
Member

Breaking change

No

Description

Refresh the tokens in the background
@DarkoKukovec DarkoKukovec added the enhancement New feature or request label Sep 6, 2023
@DarkoKukovec DarkoKukovec self-assigned this Sep 6, 2023
@ymajoros
Copy link

ymajoros commented Sep 6, 2023

The goal is of course to have the authorization code never reach the main app.

The way I experimented with was something like this:

  • main app creates an iframe with the authorization endpoint as src
  • if authentication is succesful, the service worker intercepts the result and redirects the iframe before answering ( redirect in the response) so that it never sees the url with the code (maybe possible even without redirect)
  • make sure CSP is set up so no inline script can be run in an iframe or other web contexts to avoid XSS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DarkoKukovec DarkoKukovec

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DarkoKukovec @ymajoros