manfredsteyer / angular-oauth2-oidc

Support for OAuth 2 and OpenId Connect (OIDC) in Angular.
MIT License
1.92k stars 692 forks source link

Debugging of incorrect Nonce (mixup with State) #1458

Open SchoolGuy opened 1 week ago

SchoolGuy commented 1 week ago

Describe the bug

After the user has logged in the client receives the correct access token which works when being used with the backend. The library correctly reports a failing nonce check.

Stackblitz example

I don't have a Stackblitz example but here are the relevant repositories:

To Reproduce

Steps to reproduce the behavior:

  1. Build the Backend and Frontend
  2. Start the devel compose
  3. Accept the incorrect certificate errors on all three services in the web browser
  4. Set the password in Casdoor for the testuser
  5. Try logging into the frontend

Expected behavior

I would expect the login to work since I can see that

Desktop (please complete the following information):

Additional context

My authentication service is taken over from the example implementation of jeroenheijmans. If the network requests are closely monitored, one can see that the library takes the nonce from the state. I don't know if this is an incorrect Casdoor behavior but in the Casdoor UI under "Tokens" I can see that the Nonce is the one that is printed in the error message. As such it seems that all data is present but somewhere there is a mixup of nonce and state. I am unsure how to debug this mixup and if this is configuration or code-related.

SchoolGuy commented 1 week ago

Here a screenshot to try and visualize what I mean by mixup:

grafik

The nonce in Session/Local-Storage (tried both ways) is this one eWdjODFsQVBob2F6YX55b19qM0F3cURtd1RvOHF0a2dFMHZIRURxVzlYdzEu (which is actually the state when I check the connection tab).

My hair is turning grey because I am trying to find this one out for a couple of days already.

SchoolGuy commented 1 week ago

I found a promising lead on Stackoverflow: https://stackoverflow.com/a/77825619

SchoolGuy commented 1 week ago

Yes, toggling the two settings on the application page fixes the issue:

  1. Signin session
  2. Auto signin
SchoolGuy commented 1 week ago

Depending on the desire of the maintainer(s) I am willing to submit a PR that documents this.