Closed jonathan-fan-versent closed 5 years ago
You cannot write to local storage on behalf of another domain. Also, if you want to, you can shim LocalStorageBackend
and implement it to do whatever you want.
I am also unsure about exactly what the problem seems to be ? Why do you want the verifier
on both domains ?
Hi @tikurahul, thanks for your reply.
I am not trying to write to local storage on behalf of another domain. After deploying to prod
env I need internal.code_verifier
to be written in local storage under prod
domain.
The problem is:
internal.code_verifier
can be written in local storage under 'localhost:8000'.internal.code_verifier
can NOT be written in local storage under prod domain. The left-hand side screenshot is taken on prod domain, which doesn't have internal.code_verifier
.
As you can see from the code, the TokenRequest
needs code_verifier
to pass in.
Why can't you write it in the prod domain though ?
If you are relying on localstorage
it should work (unless the user is in incognito mode).
The user is not in incognito mode, and I don't have control of writing it.
I am using RedirectRequestHandler
, and here is the code from AppAuth.
https://github.com/openid/AppAuth-JS/blob/master/src/redirect_based_handler.ts#L63-L71
You have full control on the LocalStorageBackend
. Also what is the error you are seeing ? I am still unclear why everything but the verifier is getting saved ?
That's the same question I am asking here: 'why everything but the internal
is getting saved'.
The error message is 'code_verifier' is undefined
as I am trying to get it from local storage which should have internal.code_verifier
.
and even I have full control of LocalStorageBackend
, the code_verifier
and challenge
are generated within https://github.com/openid/AppAuth-JS/blob/master/src/authorization_request.ts#L79-L101 and doesn't expose to the outside app.
I have no idea why. This is your code and your deployment. It works well in the sample app and from what I can tell in your local environment. You have to debug and figure things out.
You have access to the internal data via the internal
property. You are creating the request to begin with. This is a low level OAuth2 API and you have to understand what's going on.
If you have a better bug report, please feel free to reopen the bug. Otherwise Stackoverflow might be a better place to ask.
Hei all, I have the same problem and perhaps some clues to identify the cause :
window.sessionStorage
http://localhost:8080
it workshttp://192.168.128.128:8080
I don't know if you want to reopen this issue, but I feel like this is a better place than Stackoverflow to discuss about this weird behaviour.
My guess is that Chromium browsers don't like localStorage and sessionStorage anymore on non HTTPS or localhost.
To make it work in IE11 you'll need almost everything from the list:
import 'core-js/features/promise';
import 'core-js/features/object';
import 'core-js/features/array';
import 'core-js/features/array-buffer';
import 'core-js/web';
import 'whatwg-fetch';
import 'webcrypto-shim';
The problem with code_verifier
in particular caused by the missing window.crypto
and even having window.crypto = window.crypto || window.msCrypto
is not a cure because msCrypto
does not return promises but CryptoOperation
.
https://developer.mozilla.org/ru/docs/Web/API/SubtleCrypto/digest
Expected Behavior
[REQUIRED] Describe expected behavior
During 'performAuthorizationRequest',
internal.code_verifier
should be written into local storage for both localhost and hosted domain. Need to retrievecode_verifier
from local storage to get tokens. Or if there is a better way to getinternal.code_verifier
, please let me know. Thanks a lot.Describe the problem
[REQUIRED] Actual Behavior
When deployed code to a hosted domain, the whole
internal
property is missing in Chrome and IE 11. Please refer to the following screenshot, the left-hand side is hosted domain which doesn't haveinternal.code_verifier
, and the right-hand side is localhost which hasinternal.code_verifier
[REQUIRED] Steps to reproduce the behavior
[REQUIRED] Environment
export async function authenticate() { const config = await getConfig();
const request = new AuthorizationRequest({ client_id: CLIENT_ID, redirect_uri: redirectUri, scope: 'offline_access', response_type: AuthorizationRequest.RESPONSE_TYPE_CODE }); const authorizationHandler = new RedirectRequestHandler(); authorizationHandler.performAuthorizationRequest(config, request); } // ... export async function getTokensByCode({ code }) { const config = await getConfig(); const currentAuthRequestValue = localStorage.getItem('appauth_current_authorization_request'); const { internal: { code_verifier}} = JSON.parse(localStorage.getItem(currentAuthRequestValue + '_appauth_authorization_request')); const request = new TokenRequest({ client_id: CLIENT_ID, redirect_uri: redirectUri, grant_type: GRANT_TYPE_AUTHORIZATION_CODE, code, extras: { code_verifier } }); const tokenHandler = new BaseTokenRequestHandler(requestor); return await tokenHandler.performTokenRequest(config, request); }