I wonder how to deal with refreshing token in Oauth2 Implicit grant flow in 2019 when major browsers have 3rd party cookies disabled by default.
Some details:
Current setup:
UI SPA app under ui.example.com
Identity Provider (UAA by CloudFoundry) under uaa.api.example.com
Scenario:
when user signs in, Identity Provider sets cookie with user details for domain uaa.api.example.com and returns JWT in the redirect's Location header.
JWT is stored in the local storage (for ui.example.com), but it's valid only for 1h so I'd like to refresh it.
refreshing is possible with prompt=none query param sent to IDP authorization endpoint (process is well described in Auth0 guide (it's not UAA but flow is the same)
in every 20m hidden iframe with src set to uaa.api.exmaple.com/oauth/authorize?prompt=none is created what starts the signing in process without requiring user to provide his credentials. When process ends, new JWT returned in the response is stored again in the local storage.
Problem:
When third party cookies are allowed, browser adds the IDP's cookies to the request made by an iframe, so flow works and I get new token in the response.
When third Party Cookies are disabled in the browser's settings, iframe doesn't have an access to its own cookies, so instead of new JWT, error login_required is returned. Inability to access cookies by iframe makes token renewal impossible to use
Question:
Is there any solution for my issue with 3rd party cookies?
If not, are there any alternatives for Implicit Grant flow and SPA that I could use to sign in and refresh tokens?
Finally, we decided to go with a different solution. When JWT lifetime ends, we display a modal informing that session has timed out and with 2 buttons, one to logout and one to keep the session. When user hits "keep the session" new tab/popup-window is opened where user is re-authenticated in IDP either by providing his credentials again or automatically if the IDP session is still active.
So the flow is:
JWT lifetime ends -> 'keep session' in modal chose -> open new tab/popup-window with IDP login form -> successfully authenticated -> redirect back to app -> store token in browser's storage -> close popup-window/tab with window.close() -> get new token from storage and use it in next calls
Because we use new popup-window/tab to re-authenticate, there is not problem with 3rd party cookies.
This also gives one huge advantage. User will not lose his work no matter when he goes back to the application, because modal will be waiting there. I think, additionally it let us meet the Re-authenticing accessibility success criterion (level AAA)
Success Criterion 2.2.5 Re-authenticating
When an authenticated session expires, the user can continue the activity without loss of data after re-authenticating.