You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
i did a proof of concept token exchange operation implementation using keycloak as idp and needed to workaround the library operations to make it work. i used essentially this to start the token exchange:
// TEMPORARY FIX for angular-auth-oidc-client
window.location.reload();
});
`
A few problems with this manual override approach:
when the call to the token endpoint gets made there are 2 grant_type parameters set (the original from the refresh and the new urn:ietf... one. - i wrote an interceptor for this call to correct the body to only contain the "new" grant_type.
In UrlService::createBodyForCodeFlowCodeRequest() the grant_type authorization_code and in UrlService::createBodyForCodeFlowRefreshTokensRequest() the grant_type refresh_token get unconditionally set manually and from the customParams hash and the duplication of the grant_type parameter happens and therefore creates a wrong message to the idp.
i needed to disable validation of the id_token (because it was patched). - otherwise the returning token was not accepted. - somewhere in the TokenValiationService
i needed to call window.location.reload() to refresh the username in the ui view after the token was refreshed. The app already had accepted the correct new access_token but the observable to get the userData and/or the new username from the payload was not properly refreshed. so the old username was shown in the ui. Maybe because a normal refresh_token call would not change these values and no new values where pushed into the observables???
i have used version 18.0.1.
Describe the solution you'd like
I would really like to have a new method like forceTokenExchange() in the OidcSecurityService OR a separate TokenExchangeService with this method if you think that token exchange is only supported by some idp servers and this operation should therefore not be in the standard authentication service. (keycloak and dex support token exchange, i do not know about other implementations).
I think it is an operation that has very much value and should be properly supported and implemented. - it already works, a proper implementation should not be that hard for someone more experienced than me.
Describe alternatives you've considered
I implemented a working workaround but it does not look very nice...
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
i did a proof of concept token exchange operation implementation using keycloak as idp and needed to workaround the library operations to make it work. i used essentially this to start the token exchange:
`this.oidcSecurityService.forceRefreshSession({
"grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
"subject_token": accessToken,
"subject_token_type": "urn:ietf:params:oauth:token-type:access_token",
"requested_subject": newUsername
}, configId)
.subscribe((value: LoginResponse) => {
console.log("impersonate - loginResponse =", value);
`
A few problems with this manual override approach:
In UrlService::createBodyForCodeFlowCodeRequest() the grant_type authorization_code and in UrlService::createBodyForCodeFlowRefreshTokensRequest() the grant_type refresh_token get unconditionally set manually and from the customParams hash and the duplication of the grant_type parameter happens and therefore creates a wrong message to the idp.
i needed to disable validation of the id_token (because it was patched). - otherwise the returning token was not accepted. - somewhere in the TokenValiationService
i needed to call window.location.reload() to refresh the username in the ui view after the token was refreshed. The app already had accepted the correct new access_token but the observable to get the userData and/or the new username from the payload was not properly refreshed. so the old username was shown in the ui. Maybe because a normal refresh_token call would not change these values and no new values where pushed into the observables???
i have used version 18.0.1.
Describe the solution you'd like
I would really like to have a new method like forceTokenExchange() in the OidcSecurityService OR a separate TokenExchangeService with this method if you think that token exchange is only supported by some idp servers and this operation should therefore not be in the standard authentication service. (keycloak and dex support token exchange, i do not know about other implementations).
I think it is an operation that has very much value and should be properly supported and implemented. - it already works, a proper implementation should not be that hard for someone more experienced than me.
Describe alternatives you've considered
I implemented a working workaround but it does not look very nice...
The text was updated successfully, but these errors were encountered: