Redirect to redirect_uri not happening after @okta/okta-signin-widget upgrade from 4 to 5

okta / okta-auth-js

The official js wrapper around Okta's auth API

Other

453 stars 265 forks source link

Redirect to redirect_uri not happening after @okta/okta-signin-widget upgrade from 4 to 5 #976

Open florin05 opened 3 years ago

florin05 commented 3 years ago

Hello

We have an Angular app using "@okta/okta-signin-widget": "version": "5.12.0", with this configuration

{
 redirectUri: window.location.origin + environment.authorizationCallbackUri,
 authParams: {
      issuer: environment.oktaServer + '/oauth2/default',
      pkce: true,
      responseType: ['code'],
      responseMode: 'query',
    }
}

After upgrade from Angular 9 to 11 (and the widget from 5.4 to 5.12) the redirect to call back client url is not happening anymore I see two new parameters (10 and 11 below) in this request https:///oauth2/default/v1/authorize Not sure why they are there now, but I am guessing they are responsible for the fact that now we don't see the 302 redirect as the outcome of the "/authorize" call.

client_id: ...
code_challenge: ...
code_challenge_method: S256
nonce: ...
redirect_uri: .../authorization-code/callback
response_type: code
sessionToken: ...
state: ...
scope: openid email
prompt: none
response_mode: okta_post_message

aarongranick-okta commented 3 years ago

@florin05 Thank you for using Okta. Those two parameters you are seeing, "prompt" and "response_mode" are are used by the widget when silently receiving tokens. I am assuming since you are using Angular, this is a SPA application. (Please confirm). In many cases it is not necessary for SPA applications to redirect and the tokens are returned directly by the widget.

For example:

oktaSignIn.showSignIn().then(res => {
  oktaSignIn.authClient.handleLoginRedirect(res.tokens);
});

This will retrieve tokens, set them in storage, and then navigate to the app origin or protected route (if that is what triggered the login)

https://github.com/okta/samples-js-angular/blob/master/custom-login/src/app/login/login.component.ts#L57

(Note that while this sample uses showSignInToGetTokens, we recommend using showSignIn as it can also handle cases where your app WILL need to handle a callback on redirectURI, such as when using a 3rd party IDP)

florin05 commented 3 years ago

@aarongranick-okta , thank you for your answer. Indeed our app, like all Angular ones I believe, is a SPA application.

We have our own wrapper around the @okta/okta-signin-widget and have been using is successfully with versions 4* of that widget. We have the PKCE workflow and was redirecting to the call back url after authentication.

But seems like after we upgraded to version 5*, the redirect step is not happening, from what I read here https://github.com/okta/okta-signin-widget#authclient

SPA Application

Although a redirectUri is required in the configuration, no redirection will occur using this flow. The Sign-in Widget will > communicate with Okta and receive tokens directly.

I thought that was part of the PKCE flow, a callback is always needed to exchange/validate the code and get the tokens. Does this mean that now PKCE, the default flow, works without that callback redirect? Or do I need to invoke that step explicitly?