Silent Renew and the "login_required" Error When Using oidc-client
I recently implemented the Silent Renew functionality of oidc-client in an Angular application I work on, and was getting reports that the users' tokens were still expiring. This made no sense to me as I'd verified the code was working during development, but yesterday I found the problem and am hoping it will save someone some time.
The error we were getting back was "Error from signinSilent: login_required". This indicates that the user's session is no longer active on IdentityServer and they must re-authenticate -- which, of course, is what we're trying to prevent by using Silent Renew. In our case, the problem wasn't with the Silent Renew functionality, but rather the user's session was expired. The reason why it was expired was because, for some reason, we were setting the session length to 15 minutes instead of the default 10 hours.
What was occurring was that Silent Renew was attempting to renew a token after 55 minutes (60 minutes expiration, renewing 5 minutes early) but the session had already expired. During development, I had reduced the token expiration time to 2 minutes so I could more easily confirm that Silent Renew was making the request and renewing the token. But Silent Renew was never the problem.
Setting the session expiration back to 10 hours corrected the problem.
In IdentityServer 3, the session expiration can be set via AuthenticationOptions -> CookieOptions -> ExpireTimeSpan, as explained in the docs here. In the latest version of IdentityServer, it's a little different: check out the documentation here.
I hope this helps you if you're having this problem. At some point, I'd like to write a post of all the steps I did to get Silent Renew setup correctly in my app.
The error we were getting back was "Error from signinSilent: login_required". This indicates that the user's session is no longer active on IdentityServer and they must re-authenticate -- which, of course, is what we're trying to prevent by using Silent Renew. In our case, the problem wasn't with the Silent Renew functionality, but rather the user's session was expired. The reason why it was expired was because, for some reason, we were setting the session length to 15 minutes instead of the default 10 hours.
What was occurring was that Silent Renew was attempting to renew a token after 55 minutes (60 minutes expiration, renewing 5 minutes early) but the session had already expired. During development, I had reduced the token expiration time to 2 minutes so I could more easily confirm that Silent Renew was making the request and renewing the token. But Silent Renew was never the problem.
Setting the session expiration back to 10 hours corrected the problem.
In IdentityServer 3, the session expiration can be set via AuthenticationOptions -> CookieOptions -> ExpireTimeSpan, as explained in the docs here. In the latest version of IdentityServer, it's a little different: check out the documentation here.
I hope this helps you if you're having this problem. At some point, I'd like to write a post of all the steps I did to get Silent Renew setup correctly in my app.
Comments
Post a Comment