Is prompt=none for silent refresh in a SPA possible with FusionAuth and its provided oauth endpoint?

Question

I am trying to integrate silent refreshing of access tokens within an iframe by using prompt=none using the oauth authorize endpoint. I can't seem to figure out how to do this or if it is even supported and do not see any information in the documentation here:

https://fusionauth.io/docs/v1/tech/oauth/overview

I've tried using prompt=none in the URL but it doesn't seem to do anything.

I expect prompt=none to work according to OpenID Connect Core 1.0

Thanks for all your help!

Answer 1

FusionAuth doesn't currently support the prompt=none option for the authorization code grant. This is something we are planning on adding in one of the upcoming releases.

However, there is a work-around that others have used. You can make an AJAX request to the authorize endpoint of FusionAuth and then check the result to determine if the user needs to log in again or refresh their access token.

Here's how it works:

User not logged in

1. Your application makes an AJAX request requests the /oauth2/authorize endpoint
2. FusionAuth will respond with a 200 and HTML that contains our login form if the user is no longer logged in.
3. Your application can check the response and see that the user needs to log in and take them to FusionAuth's interface to log back in.

User still logged in

1. Your application makes an AJAX request requests the /oauth2/authorize endpoint
2. FusionAuth will respond with a 302 to your redirect_uri with an authorization code
3. Your backend will complete the authorization code grant and call the FusionAuth token endpoint
4. This will return an access token (and possibly a refresh token)
5. Your backend should return a 200 plus a JSON body or something that indicates the user is still logged in
6. The AJAX response will be sent to your application and it can parse the response and see the user is still logged in
7. Your application will now have the new access token

This flow works in AJAX nicely. It doesn't work well in an iframe because there isn't a way for the iframe to message back out to your application that either the user needs to log in again or they are still logged in and now have a new access token.

If you want to open a GitHub issue for the prompt=none support on our authorize endpoint, you can do that here: https://github.com/FusionAuth/fusionauth-issues