angular-oauth2-oidc: Refresh token not working.

Hi,

I cannot get automatic refresh token wokring fine. I’m using IdentityServer4 and here is the error message:

Requests for token response type only must include resource scopes, but no identity scopes.

Here are my client authorize request when refreshing the token:

response_type:token
client_id:identity
state:JBBRPEFbXc51hBt1WwWyOU3glE4AjSVZ3rqCta4s
redirect_uri:http://localhost:5000/silent-refresh.html
scope:openid profile identity roles offline_access
prompt:none

From my scopes, identiy is my custom application’s scope and roles is a scope that enable me to include my account roles in token.

From IdentityServer4 it seems that this error message is thrown when attempting to get a token with identity in scope (openid obviously).

Here is the code that throw this message:

public bool IsResponseTypeValid(string responseType)
        {
            var requirement = Constants.ResponseTypeToScopeRequirement[responseType];

            switch (requirement)
            {
                case Constants.ScopeRequirement.Identity:
                    if (!ContainsOpenIdScopes)
                    {
                        _logger.LogError("Requests for id_token response type must include identity scopes");
                        return false;
                    }
                    break;
                case Constants.ScopeRequirement.IdentityOnly:
                    if (!ContainsOpenIdScopes || ContainsApiResourceScopes)
                    {
                        _logger.LogError("Requests for id_token response type only must not include resource scopes");
                        return false;
                    }
                    break;
                case Constants.ScopeRequirement.ResourceOnly:
                    if (ContainsOpenIdScopes || !ContainsApiResourceScopes)
                    {
                        _logger.LogError("Requests for token response type only must include resource scopes, but no identity scopes.");
                        return false;
                    }
                    break;
            }

            return true;
        }

How could I get refreshingtoken works with IdentityServer4 ?

Regards

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 1
  • Comments: 27 (12 by maintainers)

Most upvoted comments

Hi Kevin,

I think, now we have it. Silent Refresh (and so the methods silentRefresh() and setupAutomaticSilentRefresh()) is indented for Implicit Flow. For password flow you have to call refreshToken(), as there is a compleatly different refreshing procedure for this case. Currently, there is not such a thing as an automatic refresh for password flow. That means, you need to setup a timer by your own or you can use an Interceptor that refreshes the token on demand.

The combination mentioned above is necessary b/c IdSvr4 seems to only give us access to Identity Resources when using OIDC (requesting an id_token). But in the special case of password flow the defined check of the sub claim is not possible. That’s why we have to skip it.

skipSubjectCheck = true
oidc = true

Does this work for you?

Best wishes, Manfred

+3
manfredsteyer on Sep 30, 2017
Read more comments on GitHub
← angular-oauth2-oidc: PKCE Code verifier is incorrect for Angular 12 production build
angular-oauth2-oidc: Tokens are not set immediately after redirect →