search

AxaFrance / oidc-client

Light, Secure, Pure Javascript OIDC (Open ID Connect) Client. We provide also a REACT wrapper (compatible NextJS, etc.).
MIT License
601 stars 161 forks source link

An unnecessary method call to get a token leads to a CORS error #1436

Open xzdwq opened 3 months ago

xzdwq commented 3 months ago

Hi! My config:

import { OidcClient, OidcConfiguration, TokenAutomaticRenewMode } from '@axa-fr/oidc-client';

const configuration: OidcConfiguration = {
  client_id: 'x',
  redirect_uri: window.location.origin + '/auth/oidc/callback',
  silent_redirect_uri: window.location.origin + '/auth/oidc/callback',
  scope: 'openid profile email',
  authority: 'https://adfs.x.com/adfs',
  storage: localStorage,
  token_renew_mode: 'access_token_or_id_token_invalid',
  token_automatic_renew_mode: TokenAutomaticRenewMode.AutomaticBeforeTokenExpiration,
  preload_user_info: false,
  monitor_session: false,
  refresh_time_before_tokens_expiration_in_second: 70,
  service_worker_only: false,
  extras: {
    response_type: 'id_token token',
    response_mode: 'query',
  },
};

const oidcClient = OidcClient.getOrCreate(() => fetch)(configuration);

export { configuration, oidcClient };

After successful authorization on the AD FS side, the redirect takes place back to the application and returns the following parameters to me:

http://localhost:4444/auth/oidc/callback
#access_token=ey...
&token_type=bearer
&expires_in=3600
&id_token=ey...
&scope=email%20profile%20openid
&state=UQB...

This is enough for me to authorize the user inside the application, but I have to call the method: oidcClient.loginCallbackAsync()

The method calls the URL: https://adfs.x.com/adfs/oauth2/token/ When accessing which I get a CORS error.

I don't need to call https://adfs.x.com/adfs/oauth2/token/, because I already know it. Is there a way to not call URL https://adfs.x.com/adfs/oauth2/token/ and process the oidcClient.loginCallbackAsync() method?

Versions

"@axa-fr/oidc-client": "^7.22.22-alpha.1536",

Expected

When specifying response_type: 'id_token token', do not make a separate request for the token

guillaume-chervet commented 3 months ago

Hi @xzdwq , do you know the name of this flow? Thank you for your issue. So you you receive the access_token during the callback and does not need something more?

xzdwq commented 3 months ago

@guillaume-chervet I do not know if this flow has a name, but this is the policy in our company. We get information about the user from id_token, and validate work with services using access_token, it also contains "expired" information.

Maybe there is an optional option to use access_token as the main one?