search

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
MIT License
596 stars 160 forks source link

Sometimes AXA does not properly detect login and shows error message but user is logged in. #1119

Open PatrickH89 opened 1 year ago

PatrickH89 commented 1 year ago

Hello, I am using keycloak and your package.

After receiving an e-mail for mail-verification or password-reset from keycloak, I click on the link to verfify the mail or reset the password, this process works fine.

Then after mail-verification or password-reset it should redirect to landing-page but instead an error happens and I have to refresh the page. After refresh I am logged in on landing-page.

So far I don't know how to provoke this error. Sometimes an error happens and sometimes it works all fine.

What could be the reason for this problem?

Error details of chrome dev tools console:

image

guillaume-chervet commented 1 year ago

Hi @PatrickH89 , Thank you for your issue. The error come from that line https://github.com/AxaFrance/oidc-client/blob/9f986c6b576c50b9d87d94e2fc5af0c7521c7bdf/packages/oidc-client/src/login.ts#L113

To you have more detail about you configuration.?

I will try to publish a version with more log détail for your case.

guillaume-chervet commented 1 year ago

hi @PatrickH89 , in version 7.2. I have added more logs to help to understand your problem.

PatrickH89 commented 1 year ago

Hey @guillaume-chervet thank you very much for the fast response and adding more logs in version 7.2. I will try the new version.

I hope this oidc configs are helpful.

import { OidcConfiguration as AxaOidcConfiguration } from "@axa-fr/react-oidc";

export const oidcConfig: AxaOidcConfiguration = {
  client_id: "myAppXYZ-frontend",
  authority: "https://int-login.page-name.de/realms/realmname",
  scope: "openid profile email phone address offline_access myAppXYZ-backend",
  redirect_uri: "http://localhost:5100/#/authentication/callback",
  silent_redirect_uri: "http://localhost:5100/#/authentication/silent-callback",
  service_worker_relative_url: "/OidcServiceWorker.js",
  service_worker_only: true,
};
guillaume-chervet commented 1 year ago

Hi @PatrickH89 , which message do you have with latest version? It should display more détails about the reason why.

guillaume-chervet commented 9 months ago

Hi @PatrickH89 , i think that the latest version fix this issue.

lab-willharper commented 6 months ago

Hi @guillaume-chervet,

I am having a similar problem on version 7.20.1. It appears that if you do the following it will produce a similar error

  1. Trigger login.
  2. Wait for redirect to auth provider page.
  3. Wait 5-7 min on the auth provider login screen.
  4. Enter credentials and submit.
  5. Redirect back to login page will trigger a "Refresh token should be hidden by service worker" error in the console.

From my investigation through it, it seems that when it goes to do the token retrieval as part of the first login it is expecting to find a masked code_verifier, but it retrieves the actual code itself. image

This is my current configuration export const oidcConfig = { authority: window.identityUrl, client_id: 'ClientUI', redirect_uri: (window as any).location.origin + '/authentication/callback', silent_redirect_uri: (window as any).location.origin + '/authentication/silent-callback', grantType: 'code', scope: 'offline_access api_1 api_2', refresh_time_before_tokens_expiration_in_second: 120, service_worker_relative_url: '/OidcServiceWorker.js', token_automatic_renew_mode: TokenAutomaticRenewMode.AutomaticOnlyWhenFetchExecuted };

Edit: Please disregard the console.log statements you see in the screen cap. I added those trying to figure out what was wrong.

guillaume-chervet commented 6 months ago

Hi thank you @PatrickH89 , be able to reproduce is the best way to fix it :) Thank you and i know what to do!

MKraust commented 6 months ago

I'm facing similar problem while using sessionStorage only (without service worker). Reset password links are opened in a new tab, where state is not present in sessionStorage, which leads to an error on callback redirect from Keycloak.

I've come with a hack with automatic hard page refresh in case of authentication error, but I think it isn't good to do that.

I'd also faced some other weird things around unmatched state, which involve Chrome's preloading feature. Is there some possibility to optionally disable state parameter checking?

lab-willharper commented 6 months ago

Hi @guillaume-chervet,

I have continued looking into this and it would appear that in oidc-client/src/login.ts loginCallbackAsync when using the service worker, it assumes that service worker has all of the required values. Is it possible to change this so that it checks if there is a verifier in the session storage that matches the configuration resolved at service worker start up, that it uses this to populate the values in the service worker?

image

Thanks!