IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

View Only

Back to discussions

Expand all | Collapse all

OIDC et Silent Authentication

1. OIDC et Silent Authentication

Like
Ivana Campolongo
Posted Wed December 18, 2019 09:11 AM

Reply
Hi all,
we have configured several OpenId Connect provider for different use cases.
For the majority of the applications we use the authorization code flow, especially for the applications that call the API. The API gateway is protected by webseal that use AT to authenticate.

We have a problem related to the storage of the refresh token. We'd like to find the way to implement a "silent Authentication" (https://auth0.com/docs/api-auth/tutorials/silent-authentication) to avoid that the applications aren't obligated to store the refresh token.

In this article written by Philip Nye et Leo Farrell (https://www.ibm.com/blogs/security-identity-access/isam-and-single-paged-spa-applications/) I don't understand if the solution is to combine AT et session Cookie.
In the schema of the chapter "Handling Token Expiry Intelligently" , ther's a suggestion to renew the AT before its expiration, wich is practically the way? use a cookie?

thank you

------------------------------
Ivana Campolongo
------------------------------

IBM Verify

IBM Verify

OIDC et Silent Authentication

1. OIDC et Silent Authentication

Additional
Resources

Office

Quick Links

IBM Verify

IBM Verify

OIDC et Silent Authentication

1. OIDC et Silent Authentication

Related Content

ISAM and Single Paged (SPA) Applications

OAuth: Customizing the login page

OAuth: Custom token attributes

OAuth: Device Flows

Web Reverse Proxy: Rate Limiting

Additional Resources

Office

Quick Links

Additional
Resources