search

damienbod / angular-auth-oidc-client

npm package for OpenID Connect, OAuth Code Flow with PKCE, Refresh tokens, Implicit Flow
https://www.npmjs.com/package/angular-auth-oidc-client
MIT License
1.14k stars 430 forks source link

silent renew iframe error #590

Closed koo9 closed 4 years ago

koo9 commented 4 years ago

hi

Getting this error when it's doing silent renew:

Refused to display 'https://localhost:44385/home/error?errorId=CfDJ8AYyttD0Yl1Ov-y-FXDxH2P0-9pJ7-hxGDRwVsYkW9mKghhtH4dKfFden02ijH3Eu4B2_VDtolE1uqrXP21U0XIIGWfghozg13BdafBBkeP465RynRvD-rQ_onqkW0kdgZYNyo2QlDaTLHGr-_BSYACM1SJZpMGWdNBQ-MzZq_xUmB6SBOtJ_FlSsYqtL0iYfbcBNgl9kHbfqhEzWPK1zweXn3gslZ743qVf0kZtQP_qCh4uQC02CygBO_889O-CIgAG7oDGIJouwKEwWuKtX-RY2RjfNZvgsvOtZFly_atUsNiG6NwYBVdLn-HDUnRWiw' in a frame because an ancestor violates the following Content Security Policy directive: "frame-ancestors 'none'".

what could cause this?

Thx

damienbod commented 4 years ago

Hi @koo9

The is the securtiy settings on the server blocking your request. You need the server to update its CSP to remove the none and add your client domain.

Greetings Damien

koo9 commented 4 years ago

@damienbod here's the CSP for IDP. ` // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';"; // also consider adding upgrade-insecure-requests once you have HTTPS in place for production //csp += "upgrade-insecure-requests;"; // also an example if you need client images to be displayed from twitter // csp += "img-src 'self' https://pbs.twimg.com;";

            // once for standards compliant browsers
            if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy"))
            {
                context.HttpContext.Response.Headers.Add("Content-Security-Policy", csp);
            }
            // and once again for IE
            if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Security-Policy"))
            {
                context.HttpContext.Response.Headers.Add("X-Content-Security-Policy", csp);
            }`

where to add the client domain?

I am running the sample ids which has the same CSP, it works but not my own ids.

Update:

When pointing to the ids that works for the auth code flow sample, still got the same CSP error, so it might be some from the client that create the hidden iframe, but I couldn't find anything related to creating the iframe.

damienbod commented 4 years ago

You could do it something like this (using NWebSec)

https://github.com/damienbod/AspNet5IdentityServerAngularImplicitFlow/blob/master/src/StsServerIdentity/Startup.cs#L177-L179

koo9 commented 4 years ago

@damienbod thx will take a look.

koo9 commented 4 years ago

it seems like it's the issue with the silent-renew.html. after correcting that. the silent renew works! no changes made on the IDS side.

bsheriff commented 4 years ago

@koo9 I am having the same issue how did you end up correcting this? I see you mentioned "it's the issue with the silent-renew.html". What exactly did you fix in that file? Do you mind explaining a little further, I am kind of stuck on this problem.

Thank You

koo9 commented 4 years ago

@bsheriff it's the path to silent-renew.html. make sure the path is correct.

bsheriff commented 4 years ago

@koo9 thanks for the quick response, but I am still a bit confused, do you mind being a bit more specific on what you mean by "path", I updated the silent-renew.html file based on what the documentation had said.

koo9 commented 4 years ago

the path is the correct url to silent-renew.html. i made a mistake by pointing to a wrong url.