search

IdentityModel / oidc-client-js

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications
Apache License 2.0
2.43k stars 841 forks source link

Should manually set metadata be saved to Local Storage? #1147

Closed fromorbonia closed 3 years ago

fromorbonia commented 4 years ago

Hi,

I successfully managed to use the library to connect to Microsoft Azure AD OIDC provider, which has been configured for Single Page Apps. Great to see all the auth code flow and PKCE in action. Unfortunately Azure doesn't support CORS on the /.well-known/openid-configuration endpoint, so I've had to manually configure the metadata. After calling signinRedirect() the main config (e.g. authority) is stored in Local Storage, but the metadata I entered is not stored. Which means I need to supply that information again on the call back page when using signinRedirectCallback(). Did I miss a simple configuration item?

I notice that in toStorageString() method there is no mention of metadata, so maybe the intent was never to store this? It would be handy to have this stored as it means the library neatly encapsulates the entire process. Or would this then cause a problem with the OIDC standard?

Thanks

fromorbonia commented 4 years ago

@brockallen - did you have any thoughts on this? Thanks!

gary-archer commented 4 years ago

Azure AD fully supports CORS and Authorization Code Flow (PKCE) since early 2020 (took them a while). Interestingly they also use one time use refresh tokens (even more recently).

You need to configure your OAuth Client as a Single Page App as in step 6 of my write up.

brockallen commented 4 years ago

Azure AD fully supports CORS

Including the discovery endpoint(s)?

gary-archer commented 4 years ago

Yes - see my wrapper class here. Based on my Stack Overflow adventures I found out in early 2020 that it was now working in the recommended way.

Before that I had to double hop certain requests via an API to make it work. The SPA support Microsoft has added is actually pretty good.

fromorbonia commented 4 years ago

@gary-archer - the reason I was looking at this, was to try out that new Azure AD Support for Single Page Apps. All worked fine, but at the time it was blocking the client calling /.well-known/openid-configuration. Just had a chance to get back to this, and the call now works from the client, so it doesn't matter that the state is not persisted. @brockallen - I suspect you will want to close this, as the demand for this particular situation is going to be very low?