IdentityModel / oidc-client-js

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications
Apache License 2.0
2.43k stars 840 forks source link

Getting stuck on signinRedirectCallback #1320

Open benitazz opened 3 years ago

benitazz commented 3 years ago

I'm working on angular 10, implemented the auth service which works most of the time but occasionally getting stuck on login screen:

Error - > error: "invalid_grant" error_description: "The specified authorization code is invalid."

Not sure why it works and suddently it stops working.

// config const stsSettings = { authority: ${this.ssoissuer}/auth, client_id: environment.ssoclientid, redirect_uri: ${this.host}/signin-callback, scope: 'openid email profile offline_access', response_type: 'code', post_logout_redirect_uri: ${this.host}/signout-callback, revokeAccessTokenOnSignout: true, automaticSilentRenew: false, silent_redirect_uri: ${this.host}/assets/silent-callback.html };

// AuthService complete login which seems to have a problem from time to time public completeLogin(): Promise { return this.userManager.signinRedirectCallback().then(user => { this.user = user; this.loginChangedSubject.next(!!user && !user.expired); return user; }); }

benitazz commented 3 years ago

It looks like the code gets trimmed for some reason.

Please check the Code on the URL: http://localhost:4200/signin-callback? code=CfDJ8Jx_1V6EPfVPgt3-zVrP5Ko1qpp7LDFw38HQx5R1POtqHe98kPWod1UoinCn1rc-YIucn8ys7hBdQSHzEZHcIcOCBSr9Np02UU6Jv9L8jDx_ gZiNtyic5smJ9O6EGaYMBokJlXVkxlQHLr3LnuEr4p11Dd6gG-P1HeH3XafhGI4BM1Y7RGFtmTmdHpaMSELplo38sNOAApKH6wPXlV6HGRCj 9Z9QBhENp0p9epwAse6Th03zPG9bmx9-Qc3aoUxhGiS03EmBiZ6OuNakq83H0-nR76-mwgpEwZDusdFaoHb93tGXz-jtYqFgRLYXODnO3tX8bNOCktidmOLT0jBUMw_ gUq3uhq-pcJOg-FeG_Xj2XEXF_3pEgtBrBGDlrU_FjPGsXdYbOkQgQZ8RF4k9zncMGPyOnCXempNpWsjeSyzulwuaqNqTb53PEWJeMAqinW3Bfao-Lf5NhO3V2GEg-in KQ-CUvOU_ncGpf_byqYauXgtH-Rx4YT0s3LIXES2WwyRDJzSRjjPZuECVfky4-9uI81Mi9iq8pgnyy45OR18TkmoTAawxmbR4o3LOiWBZESithhEdomMjvCqxX 5wKj6vPnRvmbhkI-wQAx04taFD-aEbMMzgKapN_X1olhZxpQ0Fdzfp_dZViLyWoMwE6JWkiVLDCYlDajayQmsiPVY2u_U17dhNG39GrpNkHZddsxAf52RvaWDSQfUkv9dabkx6vSuU0ZBkz19- p0hqAhR6I5Jn-TMAU-wNoA7RnrbWXDp-NrB5DpAoSjju9GEor4qikAn0PJQ0x6ykqUMIGYVJ5KpZ7t04miJvWeeQHD5ijD-WVG6uuxVtNmmcrLzSUhIp00NHC b79rVXF6AhU6T7UBiULnjVDGiRJ7YUWPRqu65zCEHt_lNT29pLv9LS2_UmdA0e3Iq4NCsjdsAn1TVwF-MJnEShsYEuUWoGY8y0Ak8Wmkjw_ cqo0PaG4HegQqX8LXO-yKx-BK2kWREXKR6V4nUm3j9ywMhvZe2hLnJxpeVa66GKov8HEaRN83jkB3dOzTp6lfpjmmxi2P-TRvcpyX3XTVSx4OzhYUz7sSZFOrcv79c1- kioH1h1Xwgt_JNeKENjC3tB760EqrzXBdIKdXA1B-rDETRQMSxNngcsmpbOCImEoQ1Z2qMhh1gIi8rAvDNxNxwWZShXuTdFEgdg5WmL_pg0CD4vi4hhZdWGhs84WgcRyp7- kmno9-OW18wXumAIcLHuMzqs9GI0D-OQCmdRDZEl8DcRbQ77qdZHvWqJ4BhB1WL8hzAm5PS1R1KOOGaI85DU46eVOJeVnxWcIlcSAU95qS1eoI6N3xO5Q4y1n5mI0tr- FbNOxh7plJ-3FzR47WLUwKUVIGbAgd1yWyCVQQ7WvLsxp0K2O65IUGFvfinkVb_xpZWndtNrNm5o- sErbmQt8ayXAkUCJYXiv2gCkeKOeKosHrWkOR9PSxAGZCn3bu85IU9KsJ48cNGcUGN9gK1g9BtqkeOvAYQEqN96os4gp8hAGrB6gxZxjfX1j5PRBvSbuDCBviY7FBRZwUppf6SmB- spWxL291196EAyBXs8KWE7Id4k7Cs5KeUgpHBnWzesJrvAOi3zLK7WACnR_Rr93wkSuTINBM8SNiaAAXWKoxeRSr5KjkWMgUnAku2Vtucd-qQh9W2gVxZsDq9hFj61d98zyb9 78AxnNzkvueZCr3YxcSj5QvhFk_QBra7K00GqJFibKuJ7Jo5aq7wwQ48XWj2-T6Vmwg9VoudqPig_AyctcZskLy0v45X6R6BYibU0Z79JhsCjW1Lodsz8H7qMWpRqQH-XoTMIgjRIYakWGLGeIHvs4dY8JkqSUjPzKycLiq9Dx l78EgHJnJB5DGpCeUBEu1EgDd3IfrsLAmG2L6_hbkuXO81h7JuiQEILPVdFMTHRb0TcuWnA-OCKXHASHPYQXlogaXUVOodrlm5iiyymwa8mbywxYbbYEAFnDICf7a1773Eb3RpDHMpf2Jp5klt2c1371cziUQpC2tme1I30GaxL XxW1a8Zhcy6XP6_Pq5sawskKfOiwbY1jmGnZ7XbghyKj9LkPyAmqc8CMb6bUF66vA8XpQgk_9rlATy7mj_Is45ZX5CwrA_bhRXZ7OwKyyGdmu1937Yn5ECwyZtdoqf9rwzF_Genfkto&state=d7d08f6d3d2445bdae783bb4a05ccd1e

VS the code that is sent to the client: client_id: * code: CfDJ8Jx_1V6EPfVPgt3-zVrP5Ko1qpp7LDFw38HQx5R1POtqHe98kPWod1UoinCn1rc-YIucn8ys7hBdQSHzEZHcIcOCBSr9Np02UU6Jv9L8jDx_ gZiNtyic5smJ9O6EGaYMBokJlXVkxlQHLr3LnuEr4p11Dd6gG-P1HeH3XafhGI4BM1Y7RGFtmTmdHpaMSELplo38sNOAApKH6wPXlV6HGRCj 9Z9QBhENp0p9epwAse6Th03zPG9bmx9-Qc3aoUxhGiS03EmBiZ6OuNakq83H0-nR76-mwgpEwZDusdFaoHb93tGXz-jtYqFgRLYXODnO3tX8bNOCktidmOLT0jBUMw_ gUq3uhq-pcJOg-FeG_Xj2XEXF_3pEgtBrBGDlrU_FjPGsXdYbOkQgQZ8RF4k9zncMGPyOnCXempNpWsjeSyzulwuaqNqTb53PEWJeMAqinW3Bfao-Lf5NhO3V2GEg-in KQ-CUvOU_ncGpf_byqYauXgtH-Rx4YT0s3LIXES2WwyRDJzSRjjPZuECVfky4-9uI81Mi9iq8pgnyy45OR18TkmoTAawxmbR4o3LOiWBZESithhEdomMjvCqxX 5wKj6vPnRvmbhkI-wQAx04taFD-aEbMMzgKapN_X1olhZxpQ0Fdzfp_dZViLyWoMwE6JWkiVLDCYlDajayQmsiPVY2u_U17dhNG39GrpNkHZddsxAf52RvaWDSQfUkv9dabkx6vSuU0ZBkz19- p0hqAhR6I5Jn-TMAU-wNoA7RnrbWXDp-NrB5DpAoSjju9GEor4qikAn0PJQ0x6ykqUMIGYVJ5KpZ7t04miJvWeeQHD5ijD-WVG6uuxVtNmmcrLzSUhIp00NHC b79rVXF6AhU6T7UBiULnjVDGiRJ7YUWPRqu65zCEHt_lNT29pLv9LS2_UmdA0e3Iq4NCsjdsAn1TVwF-MJnEShsYEuUWoGY8y0Ak8Wmkjw_ cqo0PaG4HegQqX8LXO-yKx-BK2kWREXKR6V4nUm3j9ywMhvZe2hLnJxpeVa66GKov8HEaRN83jkB3dOzTp6lfpjmmxi2P-TRvcpyX3XTVSx4OzhYUz7sSZFOrcv79c1- kioH1h1Xwgt_JNeKENjC3tB760EqrzXBdIKdXA1B-rDETRQMSxNngcsmpbOCImEoQ1Z2qMhh1gIi8rAvDNxNxwWZShXuTdFEgdg5WmL_pg0CD4vi4hhZdWGhs84WgcRyp7- kmno9-OW18wXumAIcLHuMzqs9GI0D-OQCmdRDZEl8DcRbQ77qdZHvWqJ4BhB1WL8hzAm5PS1R1KOOGaI85DU46eVOJeVnxWcIlcSAU95qS1eoI6N3xO5Q4y1n5mI0tr- FbNOxh7plJ-3FzR47WLUwKUVIGbAgd1yWyCVQQ7WvLsxp0K2O65IUGFvfinkVb_xpZWndtNrNm5o- sErbmQt8ayXAkUCJYXiv2gCkeKOeKosHrWkOR9PSxAGZCn3bu85IU9KsJ48cNGcUGN9gK1g9BtqkeOvAYQEqN96os4gp8hAGrB6gxZxjfX1j5PRBvSbuDCBviY7FBRZwUppf6SmB- spWxL291196EAyBXs8KWE7Id4k7Cs5KeUgpHBnWzesJrvAOi3zLK7WACnR_Rr93wkSuTINBM8SNiaAAXWKoxeRSr5KjkWMgUnAku2Vtucd-qQh9W2gVxZsDq9hFj61d98zyb9 78AxnNzkvueZCr3YxcSj5QvhFk_QBra7K00GqJFibKuJ7Jo5aq7wwQ48XWj2-T6Vmwg9VoudqPig_AyctcZskLy0v45X6R6BYibU0Z79JhsCjW1Lodsz8H7qMWpRqQH-XoTMIgjRIYakWGLGeIHvs4dY8JkqSUjPzKycLiq9Dx l78EgHJnJB5DGpCeUBEu1EgDd3IfrsLAmG2L6_hbkuXO81h7JuiQEILPVdFMTHRb0TcuWnA-OCKXHASHPYQXlogaXUVOodrlm5iiyymwa8mbywxYbbYEAFnDICf7a1773Eb3RpDHMpf2Jp5klt2c1371cziUQpC2tme1I30GaxL XxW1a8Zhcy6XP6_Pq5sawskKfOiwbY1jmGnZ7XbghyKj9LkPyAmqc8CMb6bUF66vA8XpQgk_9rlATy7mj_Is45ZX5CwrA_bhRXZ7OwKyyGdmu1937Yn5ECwyZtdoqf9rwzF_Genfkto redirect_uri: http://localhost:4200/signin-callback code_verifier:*** grant_type: authorization_code

brockallen commented 3 years ago

Yea, URLs or proxies sometimes limit URL length. Nothing this library can do about that.

ARM-Source commented 3 years ago

How did you fix this issue?

benitazz commented 3 years ago

I have closed the issue because of the this comment: "Yea, URLs or proxies sometimes limit URL length. Nothing this library can do about that."

Actually I found out that the issue is not because the code is getting discarded, the library removes the state when sending back to the server which works fine on localhost but as soon as I point to https on the test server then thats when it works and sometimes it does not work.

My solution: I ended up implementing the token flow which I'm not happy with because is not as secured as code flow

ARM-Source commented 3 years ago

Thank you for responding!

brockallen commented 3 years ago

Actually I found out that the issue is not because the code is getting discarded, the library removes the state when sending back to the server which works fine on localhost but as soon as I point to https on the test server then thats when it works and sometimes it does not work.

Well, there must be a reason the state is not being accessed properly. Is it possible that user starts on http but ends up on https on the callback? That's a common mistake.

ARM-Source commented 3 years ago

Do you know where I could specifically check for this in the related question https://github.com/IdentityModel/oidc-client-js/issues/1325?

ARM-Source commented 3 years ago

@benitazz Can you share the configuration on the IDP and client for the token flow? With "Token Flow" do you mean implicit flow?

benitazz commented 3 years ago

Yes, I mean the implicit flow. Below is my configuration for Implicit flow:

const stsSettings = { authority: ${this.ssoissuer}/auth, client_id: environment.ssoclientid, redirect_uri: ${this.host}/signin-callback, scope: 'oidc account email profile offline_access api', response_type: 'token', post_logout_redirect_uri: ${this.host}/signout-callback, oidc: true, };

But this does not work if I put the openid on the scope, its start asking about nonce and error after error.

benitazz commented 3 years ago

This is the IDP that is working and sometimes it does not work:

const stsSettings = { authority: ${this.ssoissuer}/auth, client_id: environment.ssoclientid, redirect_uri: ${this.host}/signin-callback, scope: 'openid email profile offline_access api', response_type: 'code', post_logout_redirect_uri: ${this.host}/signout-callback, oidc: true, };

rvjaywaks commented 3 years ago

I have same issue. I have a 50% signinRedirectCallback success and 50% failed. image

error on server image