search

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
MIT License
570 stars 152 forks source link

Auth successful with invalid redirect_uri #1387

Closed uhexos closed 1 week ago

uhexos commented 2 weeks ago

Issue and Steps to Reproduce

Description

With the following configuration for OIDC:

const configuration: OidcConfiguration = {
 client_id: 'movies-app',
 redirect_uri: `${window.location.origin}/authentication/nonsense`, // Invalid redirect URI
 // silent_redirect_uri: `${window.location.origin}/authentication/silent-callback`,
 scope: 'openid offline_access', // offline_access scope allows client to retrieve refresh_token
 authority: 'http://localhost:8080/realms/company-services',
};

And the following router configuration:

  {
    path: '/',
    element: <HomePage />,
  },
  {
    path: '/admin',
    element: (
      <OidcSecure>
        <BaseLayout />
      </OidcSecure>
    ),
    children: [
      {
        path: '',
        element: <Home />,
      },
    ],
  },
]);

Authentication is still successful, even though the redirect_uri is set to an invalid path /authentication/nonsense, and service workers are not enabled. How is this possible. Steps to Reproduce

Screenshots

Expected

Actual

Additional Details

guillaume-chervet commented 2 weeks ago

Hi @uhexos , Thank you for your issue. This is a normal behavior. The library is router agnostic and manage its own route internaly.

uhexos commented 2 weeks ago

so what is the point of the redirect uri if it has no impact on authentication, how can I get it to ignore the internal callback and use the one provided by me instead

guillaume-chervet commented 2 weeks ago

Redirect_uri should be configurable inside your oidc server and your oidc server should accept only the configured one @uhexos .

uhexos commented 2 weeks ago

Setting up the redirect_uri is fine I know it must exist on ther oidc server as well. I want the react-oidc to completely ignore the default behaviour and use the custom one I am providing only. How can I do that ? Also where can find the implementation for storing accepting/ processing the code token in the source files

uhexos commented 1 week ago

ghosted