identityserver4openid-connectoidc-client-jsangular-auth-oidc-client

Silent Authentication using Identity Server


I’m building an SPA app, and am using IdentityServer4 for the authentication. I’m using the new api authorization template found in .net core 3.0 for angular.

The template tries to authenticate first using an iFrame, if it fails it tries using a popup, if it fails it tries using redirects. My question is, can i rely only on the silent authentication using the iframe, without a backup method. I mean the iframe is supported in all browsers, and should work on all devices, why would i implement the popup or the redirect flow ?


Solution

  • The iframe method will only work if the user already has a session on the IDP and if any max age conditions are satisfied.

    If interactive authentication is needed then a redirect will be necessary.