I am currently working on implementing a proof of concept for ADFS (2019) (which I managed succesfully) and Azure AD with renewing the cookie / id_token by doing a refresh_token call in the backend of the web application. We currently experience a lot of problems with the hidden iframe solution we implemented in previous years due to browser security changes (SameSite cookie flag for example).
It’s hard to find any information whether this approach with refresh tokens is sound. I often stumble upon information which only talks about access_tokens and refresh_tokens. And id tokens are at the best vaguely mentioned.
Both the ADFS and Azure AD documentation state that you can also receive the id_token by providing openid in the scope. I did not find any warnings on the (rather) poorly documented ADFS OpenId Connect / OAuth pages.
Though I found the following piece of information on the AzureAD Documentation regarding the id_token:
“An unsigned JSON Web Token (JWT). The app can decode the segments of this token to request information about the user who signed in. The app can cache the values and display them, but it should not rely on them for any authorization or security boundaries. For more information about id_tokens, see the id_token reference.
Note: Only provided if openid scope was requested.”
As far as my knowledge goes, access tokens should not be used to implicitly (and not to mention missing claims compared to the id_token) assume proof of identity. And I am certainly discouraged by the above information, if using refresh tokens is still a viable option.
The application I’m working on also has the problem of not having absolute urls everywhere, so top frame redirects are not our first choice.
Can anyone provide some guidance as to which approach for renewing an users session, is secure and recommended? I can’t seem to find the proper information on official documentation and blog posts.