search

IdentityModel / oidc-client-js

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications
Apache License 2.0
2.43k stars 842 forks source link

Implicit flow on SPA without popup login ? #240

Closed rbailly closed 7 years ago

rbailly commented 7 years ago

Dear all,

Is there a way to implement this basic scenario :

1) Landing directly on a cutomized login page ( no popup window or click on a "login" button from an already existing page ) 2) After authentication arriving on my home page with all my user data

Thanks for helping, I spent quite some time testing and making things work before asking here.

Rodolphe

brockallen commented 7 years ago

Client redirects immediately to OP. Custom login would be on the OP.

rbailly commented 7 years ago

Ok thanks a lot Now I have an issue with state parameters Sorry if I mix up things.

Here are the steps of my scenario:

1) http://myHome/login.ashx performs a 302 redirect to :

https://myOP/connect/authorize?client_id=js&scope=openid email profile api&response_type=id_token token&redirect_uri=http%3A%2F%2FmyHome%2Findex.html&state=af0ifjsldkj&nonce=n-0S6_WzA2Mj

2) I have this URL after signin:

http://myHome/index.html#id_token=eyJ0eXAiOi...&access_token=eyJ0eXAiOi...&token_type=Bearer&expires_in=60&scope=openid%20email%20profile%20api&state=af0ifjsldkj&session_state=HC3MpxAcm4hdi_yezSN7RqSI2rMOJayZf2NPtDF0n9o

3) Problem is, I got this error when trying to parse the token :

"No matching state found in storage"

State parameters are equals on both URLs. What am I missing ?

brockallen commented 7 years ago

Make sure the page you leave from is the same origin as the one you are redirected to. Maybe http vs https?

rbailly commented 7 years ago

:http://myHome/login.ashx & http://myHome/index.html are in the same folder. https is not activated on this server. this is different than #93 , I have the error on every request

brockallen commented 7 years ago

I don't know then. Enable logging to see if that can give you a hint.

rbailly commented 7 years ago

no hint . . . :-\

automaticSilentRenew is configured, setting up silent renew Log.js:55 UserManager.getUser Log.js:55 _loadUser Log.js:55 WebStorageStateStore.get user:https://myOP/:js Log.js:55 monitorSession is configured, setting up session monitor Log.js:55 UserManager.getUser Log.js:55 _loadUser Log.js:55 WebStorageStateStore.get user:https://myOP/:js Log.js:55 OidcClient.clearStaleState Log.js:55 State.clearStaleState Log.js:55 WebStorageStateStore.getAllKeys Log.js:55 UserManager.getUser Log.js:55 _loadUser Log.js:55 WebStorageStateStore.get user:https://myOP/:js Log.js:55 UserManager.signinRedirectCallback Log.js:55 RedirectNavigator.url Log.js:55 _signinEnd Log.js:55 OidcClient.processSigninResponse Log.js:55 UrlUtility.parseUrlFragment Log.js:55 WebStorageStateStore.remove aaee0da5db7b4f7abaa11b3a3ed1feb7 2Log.js:55 no user storageString Log.js:55 got keys [] Log.js:55 waiting on promise count: 0 Log.js:55 no user storageString Log.js:65 No matching state found in storage error @ Log.js:65 (anonymous) @ OidcClient.js:99 2Log.js:55 user not found in storage app.js:183 Finished clearing old state Log.js:55 user not found in storage

brockallen commented 7 years ago

You will have to debug the web storage being used -- why is it not being persisted or loaded. Also, disable the cleanup check for now -- it's adding noise to the logs.

crh225 commented 7 years ago

@rbailly We have something working well for us.

we are usuing angular 2

when the app loads, we have an iframe that loads into the page. This hidden iframe takes care of all the redirection. when the user gets loaded, we hide the loading icon, then fade in the app. this iframe creates a second iframe to auto renew the token. the agular app tries to login silently a predetermined amout of times (because the iframe takes about 2 seconds to do the redirection) and eventually the angular app signs in silently.

the initial login page has only this code in it, besides the config object. it is an mvc view that is an iframe that gets injected at the beginning of the mvc app.

        function startSigninMainWindow() {
            this.clearOldUser();
            this.mgr.signinRedirect({ scope: 'openid prog.webid prog.webapi', response_type: 'id_token token' }).then(function() {
                console.log('V2: BackgroundLogin signinRedirect done');
            }).catch(function (err) {
               console.log('V2: BackgroundLogin error', err);
            });
        }

        if (!window.location.hash) {
            this.startSigninMainWindow();
        }

this is our silent login page

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title></title>
    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="PUBLIC">
</head>
<body>
    <script src="libs/oidc-client.min.js"></script>
    <script>
        var mgr = new Oidc.UserManager();
        mgr.signinSilentCallback();
    </script>
</body>
</html>
brockallen commented 7 years ago

Any update?