search

manfredsteyer / angular-oauth2-oidc

Support for OAuth 2 and OpenId Connect (OIDC) in Angular.
MIT License
1.86k stars 682 forks source link

Authentication flow is failing with Github Oauth2 APIs #845

Open sangalao opened 4 years ago

sangalao commented 4 years ago

Authentication flow is failing with Github Oauth2 APIs. This is because Github Oauth2 API does not send Access Token in JSON format by default, whereas the library expects a JSON format return. See : https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/?#response

Suggesion of correction

Adding an Accept: application/json header in Access token request is required for authentication flow to work correctly.

Add this missing header in code in OauthService.OAuthService.fetchAndProcessToken(params: HttpParams): Promise<TokenResponse> method (line : 1718)

      var headers = new HttpHeaders()
          .set('Content-Type', 'application/x-www-form-urlencoded')
          .set('Accept', "application/json"); // Those are the missing headers ...

Other suggestion : Add it also for other requests to avoid any other similar issues?

To Reproduce

Oauth Config used: 

{
            "loginUrl": "https://github.com/login/oauth/authorize",
            "tokenEndpoint": "https://github.com/login/oauth/access_token",
            "userinfoEndpoint": "https://api.github.com/user",
            "redirectUri": "[some redirect url]",
            "silentRefreshRedirectUri": "[some refresh url]",
            "clientId": "[The Github app client id]",
            "dummyClientSecret": "[The Github app secrent id]",
            "scope": "user:email",
            "requireHttps": false,
            "oidc": false,
            "skipIssuerCheck": false,
            "clearHashAfterLogin": false,
            "responseType": "code",
            "disablePKCE": true,
            "disableAtHashCheck": true
        },

Expected behavior

Authentication flow shall work with Github Oauth2 APIs. Access tokens requests shall be sent with a "Accept: application/json" header

Desktop (please complete the following information):

Additional context

Other note : Using an Accept: application/json header in requests is working and also accepted by other popular Oauth/OIDC providers : Azure, Google, Facebook, Keycloak (tested with a patch of current library code).

jeroenheijmans commented 4 years ago

FWIW, I would presume that there's a workaround possible by writing an HttpInterceptor that adds the header for the needed domains?