search

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
MIT License
601 stars 161 forks source link

DNS alias on local development #1001

Closed dclayton77 closed 1 year ago

dclayton77 commented 1 year ago

Issue and Steps to Reproduce

I have setup my React application using the sample code in the readme. Everything works great against my local identity server using PKCE while using the http:.//localhost:3000 domain. However, I also use a DNS alias for local development, E.g. http://web.myapp.local:3000. This is for CORS amongst other things.

When I try to view my react application on the DNS alias, I get an error in the browser that says my browser is not secure enough. See the screenshot below.

Is there some config to allow a custom DNS alias to work with the framework when running locally?

Versions

6.15.8

Screenshots

image

Thanks in advance for any help.

guillaume-chervet commented 1 year ago

Hi @dclayton77 thank you for your issue. What does look like your oidc ? Which browser are you using? chrome?

dclayton77 commented 1 year ago

Oidc is Duende IdentityServer, setup to use PKCE in the same way as the Duende example that you use on the demo code in the readme. This is all working fine when using localhost.

The issue in the browser only occurs when I use a DNS alias. E.g. from the hosts file:

127.0.0.1 web.myapp.local

I am using Edge as a browser but the problem is also present in Chrome and Gener8, although they are both Chromium based.

raffaeler commented 1 year ago

Did you create a self-signed certificate for web.myapp.local? You should have a single certificate for localhost having at least the following SAN entries:

dclayton77 commented 1 year ago

No, I wondered if it was something to do with certificates. I didn't explicitly create one for localhost but I guess that would already be present on the machine. I will investigate further and report back. Thank you for the pointer!

raffaeler commented 1 year ago

@dclayton77 The certificate job is to ensure the dns name you are using in the browser matches with the certificate canonical name (CN=) or one of the subject alternative names (SANs). If they do not match, the browser makes the call fail for obvious security reasons.

The default self-signed certificate generated by Visual Studio only provides localhost (which is also written in the SANs because it's a requirement). Therefore, if you didn't generate a custom self-signed certificate, there is no hope it can work.

HTH

guillaume-chervet commented 1 year ago

Hi @dclayton77 , did you solve your problem, may we close the issue?

guillaume-chervet commented 1 year ago

hi @raffaeler , @dclayton77 ,

You issue seem to be solved. Thank you very much for it. I close the issue, but feel free to reopen it if needed.