Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Silent Authentication Using Hidden Iframe #88

Merged
merged 1 commit into from
Dec 10, 2023
Merged

Implement Silent Authentication Using Hidden Iframe #88

merged 1 commit into from
Dec 10, 2023

Conversation

rundfunk47
Copy link

Overview

This PR integrates a hidden iFrame for silent authentication in the FlutterWebAuth2WebPlugin, enhancing token refreshes and ensuring smooth user experiences in environments where popup blockers might impact traditional authentication methods.

Key Updates

Silent Authentication Implementation: Incorporation of a hidden iFrame, a standard in web authentication, enables background token refreshing without user interruption.
Security Focus: Ensured security through URL sanitization and rigorous origin checks to prevent vulnerabilities like XSS.

Rationale Behind Silent Authentication

Seamless User Experience: Maintains session continuity in single-page applications by eliminating repeated login prompts.
Popup Blocker Avoidance: Addresses the issue of popup blockers in modern browsers, ensuring more reliable authentication.

@ThexXTURBOXx
Copy link
Owner

Thank you very much for this excellent PR! I will merge and publish this ASAP! :)

@ThexXTURBOXx ThexXTURBOXx merged commit 669cec2 into ThexXTURBOXx:master Dec 10, 2023
2 checks passed
@rundfunk47
Copy link
Author

Thanks for doing so, and thanks for maintaining this library 🙂 Really useful!

@btrautmann btrautmann mentioned this pull request Dec 22, 2023
Closed
2 tasks
@adrian-moisa
Copy link

@rundfunk47 Thank you for such a great contribution! What can you advice about native devices. How can we configure the auth client to maintain longer sessions? I have a custom Keycloak setup and I have various options to control the length of a session. As far as I understand a one hour expiry is desired for tokens and then a week long continuous use session if the user is active. What can you advice on this topic? Thank you!

@rundfunk47
Copy link
Author

Thanks, @adrian-moisa. You can use the offline_access scope in Keycloak settings for longer sessions. For the auth client, ensure it handles token refresh using the refresh token. Implement background token refresh logic to maintain session continuity. For example, when making a network call, if you get a token expiry error (or if the token is old on the client side), use the refresh token to get a new access token.

@adrian-moisa
Copy link

Thank you @rundfunk47 for the quick answer. In the meantime I studied more your commit and the codebase overall to better understand how it all fits together. I made use of the silentAuth flag. Really happy how the code turned out. Nice and crisp. Once I find some time I'll share a full sample. I know lots of people struggle really hard to stitch everything the right way (was hard for me as well, but this is the 3rd client already so it's a bit easier to make sense of it). Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rundfunk47 @ThexXTURBOXx @adrian-moisa