<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D51Y00008ciDCHSA2Okta Classic EngineSingle Sign-OnAnswered2024-04-15T12:54:52.000Z2020-06-05T18:52:29.000Z2020-07-17T23:16:23.000Z

aberc (aberc) asked a question.

June 5, 2020 at 6:52 PM
How to do silent refresh from SPA that uses implicit flow

I am developing a single page web application using Angular 8 and integrating okta authentication using @okta/okta-angular package. As the application has to work on Internet Explorer, the implicit flow is implemented.

 

I'm trying to prompt the users before the session expires and if the user decides to extend the session, a silent refresh of the token has to be done. I couldn't find any methods in the okta package, or any discussion about it in the community.

 

Could you please share some thoughts?

  • 2 answers
  • 4.13K views

  • aberc (aberc)

    Hi Sandeep,

     

    Thank you for the reply. I was trying to integrate okta using @okta/okta-angular package, which doesn't seem to have an out-of-the-box method for silent refresh. But the keyword "getWithoutPrompt" from your reply helped me to identify that it can be implemented if I use "@okta/okta-auth-js" instead. I was able to successfully implement the silent refresh with that.

     

    Thank you.

    Expand Post
    Selected as Best

  • sandeepk.84743 (Wipro Technologies)

    Hi Ashin,

     

    You need to have an active session with Okta to be able to get new tokens (without a refresh token). Refresh tokens are not recommended for SPAs because of security, the silent refresh (getWithoutPrompt) is more secure, but requires you have an active session with the IdP (okta). You can increase the session timeout in okta (Okta Sign-on policy) if necessary.

     The /authorize endpoint with prompt=none before the token expires and that would refresh the token. it does a very quick redirect to Okta and the app gets a new (fresh) access token.  prompt=none,  ensures the user doesn’t see any login UI.

     

    Note: This requires OKTA SSO session to be Active.

     

    I hope it helps.

    Expand Post

  • aberc (aberc)

    Hi Sandeep,

     

    Thank you for the reply. I was trying to integrate okta using @okta/okta-angular package, which doesn't seem to have an out-of-the-box method for silent refresh. But the keyword "getWithoutPrompt" from your reply helped me to identify that it can be implemented if I use "@okta/okta-auth-js" instead. I was able to successfully implement the silent refresh with that.

     

    Thank you.

    Expand Post
    Selected as Best
This question is closed.
Loading
How to do silent refresh from SPA that uses implicit flow