Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Silent Refresh does not work in Safari #1441

Open
bkrajendra opened this issue Sep 23, 2024 · 3 comments
Open

Silent Refresh does not work in Safari #1441

bkrajendra opened this issue Sep 23, 2024 · 3 comments

Comments

@bkrajendra
Copy link

bkrajendra commented Sep 23, 2024
edited
Loading

We are using latest library version with Angular 15
Our configuration is:
PKCE with Code flow and Silent Refresh.

Everything works great in Chrome Browser.
All flows work in Safari browser except silent refresh flow does not work.
The silent refresh call redirects with following in Safari when timeout is reached:

Query String Parameters
error_description: The request requires some interaction that is not allowed.
state: MkJsaVpsOG1pbEVPVxxxxxxxxxxxxkdzbHJoNjVFVDIw
error: interaction_required

Following are the content of silent refresh html page:

<html>
    <body>
        <script>
            var checks = [/[\?|&|#]code=/, /[\?|&|#]error=/, /[\?|&|#]token=/, /[\?|&|#]id_token=/];

            function isResponse(str) {
                if (!str) return false;
                for(var i=0; i<checks.length; i++) {
                    if (str.match(checks[i])) return true;
                }
                return false;
            }

            var message = isResponse(location.hash) ? location.hash : '#' + location.search;

            if (window.parent && window.parent !== window) {
                // if loaded as an iframe during silent refresh
                window.parent.postMessage(message, location.origin);
            } else if (window.opener && window.opener !== window) {
                // if loaded as a popup during initial login
                window.opener.postMessage(message, location.origin);
            } else {
                // last resort for a popup which has been through redirects and can't use window.opener
                localStorage.setItem('auth_hash', message);
                localStorage.removeItem('auth_hash');
            }
        </script>
    </body>
</html>
@bkrajendra
Copy link
Author

I have found some references about this issue:

The second one talks about deploying ForgeRock on subdomain and keeping application on TLD.
Need to check if this works.

@Sathasivamthirumoorthi
Copy link

Sathasivamthirumoorthi commented Jan 29, 2025
edited
Loading

@bkrajendra , still having this issue ?

@bkrajendra
Copy link
Author

bkrajendra commented Feb 12, 2025
edited
Loading

@Sathasivamthirumoorthi yes issue still persists, I dont think there is any alternative to running silent refresh in inframe on Safari. Its a browser security related issue and soon will stop working on Chrome once chrome implements ITP strictly.
We can not keep forgerock on same domain in production or in real life scenrio, and any subdomain or different domain is treated as cross domain.

We have relied on not choosing the silent refresh in production and using token rotation with refresh token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bkrajendra @Sathasivamthirumoorthi