ForgeRock · dependabot · Jan 4, 2023 · Jan 4, 2023 · Jan 4, 2023
diff --git a/README.md b/README.md
@@ -112,6 +112,7 @@ Once the library is loaded, you have to provide the environmental details along
         oidc: true,
         identityProxyPreference: "XHR", // can be either "XHR" or "serviceWorker"
         renewStrategy: "authCode", // can be either "authCode" or "refreshToken"
+        attemptSilentAuthGrant: true, // if false, appAuthHelper won't use iframes to attempt to make silent auth code grants
         redirectUri: "appAuthHelperRedirect.html", // can be a relative or absolute url
         serviceWorkerUri: "appAuthServiceWorker.js" // can be a relative or absolute url
     });
@@ -132,6 +133,7 @@ Once the library is loaded, you have to provide the environmental details along
  - oidc [default: true] - indicate whether or not you want to get back an id_token
  - identityProxyPreference [default: serviceWorker] - Preferred identity proxy implementation (serviceWorker or XHR)
  - renewStrategy [default: authCode] - Preferred method for obtaining fresh (and down-scoped) access tokens (authCode or refreshToken); see "How it works" for details.
+ - attemptSilentAuthGrant [default: true] - By default appAuthHelper will try to silently acquire access tokens using a silent auth code grant in a hidden iframe. This may not always be possible, and may cause some issues with various OP vendors or in the context of third-party cookie restrictions. If set to false, the default renewStrategy will become "refreshToken".
  - redirectUri [default: appAuthHelperRedirect.html] - The redirect uri registered in the OP
  - serviceWorkerUri [default: appAuthServiceWorker.js] - Path to the service worker script. Make sure it is located low enough in your URL path so that its scope encapsulates all application code making network requests. See [Why is my service worker failing to register?](https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API/Using_Service_Workers#Why_is_my_service_worker_failing_to_register) if you have questions.
 

diff --git a/appAuthHelper.js b/appAuthHelper.js
@@ -12,6 +12,7 @@
          * @param {Object} config - configuration needed for working with the OP
          * @param {string} config.clientId - The id of this RP client within the OP
          * @param {boolean} [config.oidc=true] - indicate whether or not you want OIDC included
+         * @param {boolean} config.attemptSilentAuthGrant - indicate whether or not you want to try a silent auth code grant in a hidden iframe
          * @param {string} config.authorizationEndpoint - Full URL to the OP authorization endpoint
          * @param {string} config.tokenEndpoint - Full URL to the OP token endpoint
          * @param {string} config.revocationEndpoint - Full URL to the OP revocation endpoint
@@ -43,7 +44,10 @@
             this.tokensAvailableHandler = config.tokensAvailableHandler;
             this.interactionRequiredHandler = config.interactionRequiredHandler;
             this.appAuthConfig.oidc = typeof config.oidc !== "undefined" ? !!config.oidc : true;
-            this.appAuthConfig.renewStrategy = config.renewStrategy || "authCode";
+
+            this.appAuthConfig.attemptSilentAuthGrant = typeof config.attemptSilentAuthGrant !== "undefined" ? !!config.attemptSilentAuthGrant : true;
+            this.appAuthConfig.renewStrategy = config.renewStrategy || (this.appAuthConfig.attemptSilentAuthGrant ? "authCode" : "refreshToken");
+
             this.pendingResourceServerRenewals = [];
             this.identityProxyPreference = config.identityProxyPreference || "serviceWorker";
 

diff --git a/appAuthHelperBundle.js b/appAuthHelperBundle.js
diff --git a/appAuthHelperFetchTokens.js b/appAuthHelperFetchTokens.js
@@ -93,7 +93,17 @@
                         idToken: data.idToken
                     }, TRUSTED_ORIGIN);
                 }, () => {
-                    tokenManager.silentAuthzRequest();
+                    if (e.data.config.attemptSilentAuthGrant) {
+                        tokenManager.silentAuthzRequest();
+                    } else {
+                        tokenManager.getAuthzURL().then((url) =>
+                            parent.postMessage({
+                                message: "appAuth-interactionRequired",
+                                error: "Stored tokens unavailable and silent auth code grant not attempted",
+                                authorizationUrl: url
+                            }, TRUSTED_ORIGIN)
+                        );
+                    }
                 });
             break;
         case "makeRSRequest":

diff --git a/appAuthHelperFetchTokensBundle.js b/appAuthHelperFetchTokensBundle.js
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "appauthhelper",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Wrapper for AppAuthJS to assist with silent token acquisition and renewal",
   "main": "appAuthHelper.js",
   "scripts": {