Popup not fully working on IE - postMessage support?

[CesarD]

I can't get the sample IdentityServer.JsWalkthrough to work on IE (right now v11). Once the popup appears and I enter credentials and give my consent, the popup just keeps showing the "popup.html" page used for the signinPopupCallback(). Is it possible that IE doesn't support postMessage between windows and tabs? Any known workaround for this?

Also, if I, alternatively, try to do just a signin redirect, when I point back to my app index.html, I see extra params on the URL, similar to a query string, but prefixed with # and including the id_token, access_token and other user data from the ticket. It worries me that if some user copies and pastes the URL from the web site, he/she might be exposing sensitive data to third parties. Any way to prevent it?

[brockallen]

IdentityServer3 or IdentityServer4?

[CesarD]

IdentityServer3. Regarding the popup, in the meantime, I implemented with redirects because there was no way to make it work on IE. Regarding the 2nd paragraph about the redirects I figured out the way to make a window.location.replace() on the promises response of the callbacks to redirect back to the index.html, so that's ok.

So, to wrap it up, the only point would be to know if there's some workaround for the popup to work correctly on IE.

[CesarD]

IdentityServer3. Regarding the popup, in the meantime, I implemented with redirects because there was no way to make it work on IE. Regarding the 2nd paragraph about the redirects I figured out the way to make a window.location.replace() on the promises response of the callbacks to redirect back to the index.html, so that's ok.

So, to wrap it up, the only point would be to know if there's some workaround for the popup to work correctly on IE.

[brockallen]

Ok, I'll see if I can repro.

[brockallen]

i was able to repro on ie11. i'll see what the issue is and fix for 1.2.1

[LetsGoRosco]

I also encountered this issue in IE 11 whilst running on localhost.

I investigated and found that the problem is in the PopupWindow._checkForPopupClosed method.

Once the popup is opened, this method checks the _popup.closed property to determine if the popup is still open. IE sets this property to 'true' as soon as the popup redirects from localhost to an external URL (e.g. an external provider) even though the popup is still open. This triggers an error "Popup window closed", and then even if you proceed to login the popup can't communicate back with the parent page.

In IE 11 if you disable Protected Mode on the security tab it will work, but obviously this is not the solution.

I found that by setting a local domain up rather than using localhost the issue was avoided.

Hope this helps.

[brockallen]

Ok, looks like it's not supported on IE11: https://blogs.msdn.microsoft.com/ieinternals/2009/09/15/html5-implementation-issues-in-ie8-and-later/

IIRC I had tested this when I rewrote this library and it worked. I'll have to find out how I used to do this in the prior version.

[brockallen]

I reworked the communication from the popup back to the main window to be closer to how it was in the last version. oidc-client@1.2.1-beta.2 pushed to npm -- please test (across all browsers) and let me know how it works for you.

[CesarD]

Ok, great, I'll give it a try by Monday or Tuesday when I'm back at the office. Thanks a lot!

[brockallen]

I just released another beta. Please try it and let me know if it's working.

[SebastianStehle]

Hi, I just experienced the same issue. At the moment I use redirect for IE11 and popups for the good browsers. But it is a little bit annoying because my SPA is not that fast to load at the moment and I would prefer the popup.

[groetzi]

just a comment on @LetsGoRosco's answer: seems to be due to the fact that localhost and external urls usually lie in different IE security zones (one in intranet zone, one in internet zone) which is why communication between them is blocked. for others: things usually just work out when deployed (if not assert that all sites accessed during the flow are in the same IE security zone).

[cosmoKenney]

I'm facing this issue right now. I set up my SPA to log in via an IFrame. In other words I pass the IFrame name, using the popupWindowTarget field, to the signinPopup call. This works well in Chrome and Firefox and makes it look like the login is a component of my SPA.

However in Edge I've had to implement signinPopup using popupWindowTarget: '_blank'. That works.

But in IE11, when using signinPopup and popupWindowTarget: '_blank', the popup window never closes. And if I use signinRedirect in IE11, then I go into an infinite loop of redirect to login, then back to my SPA, then back to login and so on.

I really hate having three different user experiences for login.

Problem is that I have to support IE9+ and all the other browsers. And since these are external customers, I cannot dictate that they put the sites into trusted zone or whatever in IE.

I'm open to suggestions here. I'm under immense pressure to get this app out.

Interestingly in IE11 after I login and the popup stays open, I tried to simply refresh the page in the popup, and I see a message in the console that says Promise is undefined. But there are no messages in console if I just leave the popup alone after logging in (this is in the dev tools for the popup). However in the dev tools for the main app, the last message logged is just PopupWindow.navigate: Setting URL in popup. If I manually close the popup after logging in, then I get an error in the main app's dev tools that says PopupWindow.error: Popup window closed.

[maclonghorn]

@brockallen We're experiencing the same behavior, even though you had fixed it in 2016? But it doesn't fail for all IE11 clients. Some actually work. Is this still an open issue?

[brockallen]

But it doesn't fail for all IE11 clients. Some actually work.

Hmm, not sure. This sounds environmental. IE has always been wonky with it's zones, which is commonly the issue.

[cosmoKenney]

@maclonghorn I ended up dropping the pop-up log-in/log-out. And just went with redirect style. I ended up having to spend some time on the IDP code to build dynamic themes based on client id so that depending on which client you were redirecting from the login would look like it was part of the app. I found that easier than trying to "fix" IE. There is no hope for IE/Edge as far as I'm concerned. And, you should note, I spent a lot of time stepping through the oidc-client code to try to resolve it. I think it could be resolved by using a different IPC mechanism between the client and popup instance of oidc-client. But I never had time to do a PR.

[brockallen]

I think it could be resolved by using a different IPC mechanism between the client and popup instance of oidc-client. But I never had time to do a PR.

Yep, agreed. There are other ways that would avoid the limitation added by IE (after the original effort).

[maclonghorn]

@cosmoKenney @brockallen Thanks for the replies. We also have reverted back to the redirect instead of performing brain surgery on ourselves. Ideally, we would do an in-page "popover" using iframe or something. is that possible?

[brockallen]

iframes won't work if your login page uses XFO (and IMO it generally should).