Vulos Documentation
  • Identity
    • Welcome to the Vulos Identity Documentation!
    • Quick Start
    • Organizations
    • Scopes and Claims
  • Reference
    • Identity JavaScript SDK
      • The Base Package
        • KYC
          • KycStatus
          • KycInstance
          • KycDetails
          • KycApi
        • Profile
          • UserReference
          • ProfileApi
        • Cache
        • Authentication
          • Application
          • BaseAuth
          • User
          • UserInfo
          • BaseApi
        • Organizations
          • Organization
          • OrganizationMembership
            • OrganizationMembershipWithMetadata
          • OrganizationRole
          • OrganizationApi
      • The Backend Auth Package
        • CodeVerifier
        • BackendAuth
      • The Frontend Auth Package
        • IFrameRefresh
        • StateVerifier
        • FrontendAuth
    • Organization API
      • Organizations
      • Memberships
        • Roles
    • Profile API
    • KYC API
Powered by GitBook
On this page
  • Requirements
  • Limitations
  1. Reference
  2. Identity JavaScript SDK
  3. The Frontend Auth Package

IFrameRefresh

PreviousThe Frontend Auth PackageNextStateVerifier

Last updated 3 years ago

This function is an iframe-based implementation for the .

import { IFrameRefresh } from '@vulos/identity-browser-sdk'

await auth.setRefreshTokenCallback(IFrameRefresh)

Before using this feature make sure your application fulfills the requirements and validate that the limitations won't cause issues for your application's user experience and flow.

If you are using a server-side rendered application you should use The Backend Auth Package with a code id_token response type instead.

Requirements

  • That is always the first thing that gets called when an OpenID fragment/hash is a part of the URL (in the route that is the default redirect URL);

  • That the application doesn't execute/render anything that might initiate a token refresh while a token is already being refreshed;

  • If a token is being refreshed in a specific frame, that frame shouldn't do anything else;

  • If your application handles the window message event, it MUST NOT stop event propagation/bubbling (using Event.stopPropagation() or return false in an event handler), you can notice that an event is sent by if it has the Event.data.accessToken or Event.data.fail properties;

  • That your application runs in a browser window that supports <iframe> and is able to redirect;

Limitations

This method doesn't actually refresh the tokens using the refreshToken, it creates an iframe that navigates to the authentication URL, and takes advantage of the persistent grant system.

If the user isn't logged in, removes their grant, or didn't make their grant persistent, this will result in a redirect to the consent screen / login screen.

If your application doesn't persist state automatically, this might cause problems because this callback might get called on any function call, make sure to check that the token isn't expired before calling any SDK method in this case.

refresh token callback
BaseAuth.processCallback()
BaseAuth.processCallback()