When Auth Server is unavailable, browser can access protected routes

markwt-waymark commented 1 year ago

If I run the following code when the identity server is running it functions as expected; I am asked to login when attempting to access the protected dashboard route.

However, if the identity server is not running, there is no error in the console and the browser simply allows the client to access the protected route.

Am I doing something wrong here or is this a bug?

Thanks

const oidcConfig = {
    onSignIn: async (user: User | null) => {
        alert('You just signed in, congratz! Check out the console!');
        console.log(user);
        window.location.hash = '';
    },
    authority: process.env.REACT_APP_IDENTITY_AUTH_URL,
    clientId: process.env.REACT_APP_IDENTITY_CLIENT_ID,
    responseType: 'code',
    redirectUri: process.env.REACT_APP_IDENTITY_REDIRECT_URL,
    silentRedirectUri: process.env.REACT_APP_IDENTITY_SILENT_REDIRECT_URL,
    postLogoutRedirectUri: process.env.REACT_APP_IDENTITY_LOGOFF_REDIRECT_URL,
    scope: process.env.REACT_APP_IDENTITY_SCOPE
};

const router = createBrowserRouter([
    {
        path: "/",
        element: <Home />,
    },
    {
        path: "/dashboard",
        element:
            <AuthProvider {...oidcConfig}>
                <Dashboard />
            </AuthProvider>
    }
]);

function App() {
  return (
    <React.StrictMode>
        <RouterProvider router={router} />
    </React.StrictMode>
);
}

simenandre commented 1 year ago

Not sure, does your browser run any requests that fail?

simenandre commented 2 weeks ago

Closing this as stale. Please open a new issue or let me know you still have this issue in a comment 👍

bjerkio / oidc-react

When Auth Server is unavailable, browser can access protected routes #925