You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What Version of the library are you using?
Angular 14.0.4 with angular-auth-oidc-client 14.0.4
Describe the bug
When navigating a auto-login guarded route just before a silent-renew is running the library incorrectly sends the silent-renew redirect_uri to the /connect/token endpoint instead of the oidc-callback endpoint causing a 400 Bad Request with the server error invalid_redirect_uri.
Monitor the console to see when the silent refresh is about to trigger
start switching between the first and second child routes
With some luck you trigger the right sequence of events causing the issue. This might take some tries however...
Expected behavior
I don't think the silent renew is supposed to trigger during a normal authorize flow.
Screenshots
Debug logs + error in console
Desktop (please complete the following information):
OS: widows 11
Browser edge (chromium)
Version 103.0.1264.44
Additional context
I've been digging around in the code and have found the following potential issue.
The code-flow-callback-handler checks if a silent renew is running when handling the callback for a code flow.
Here a flowsDataService is checked to see wether a silent renew is currently running. Setting the redirect_uri to /silent-renew.html instead of the oidc-callback redirect_uri.
IdentityServer4 checks this and throws a 400 on the token request as a result of them being different (and thus not belonging to the same code flow).
The isSilentRenewRunning by default uses sessionStorage to check if a silent-renew is running.
I think the offending setSilentRenewRunning happens here
The text was updated successfully, but these errors were encountered:
RubMertens
changed the title
[Bug]:
[Bug]: concurrent silent-renew and normal authorize cause 400 bad request on connect/token endpoint
Jul 5, 2022
What Version of the library are you using?
Angular 14.0.4 with angular-auth-oidc-client 14.0.4
Describe the bug
When navigating a auto-login guarded route just before a silent-renew is running the library incorrectly sends the silent-renew redirect_uri to the /connect/token endpoint instead of the oidc-callback endpoint causing a 400 Bad Request with the server error invalid_redirect_uri.
To Reproduce
I've setup a repro repo on here
With some luck you trigger the right sequence of events causing the issue. This might take some tries however...
Expected behavior
I don't think the silent renew is supposed to trigger during a normal authorize flow.
Screenshots
Debug logs + error in console
Desktop (please complete the following information):
Additional context
I've been digging around in the code and have found the following potential issue.
The code-flow-callback-handler checks if a silent renew is running when handling the callback for a code flow.
Here a
flowsDataService
is checked to see wether a silent renew is currently running. Setting the redirect_uri to/silent-renew.html
instead of theoidc-callback
redirect_uri.IdentityServer4 checks this and throws a 400 on the token request as a result of them being different (and thus not belonging to the same code flow).
The
isSilentRenewRunning
by default uses sessionStorage to check if a silent-renew is running.I think the offending
setSilentRenewRunning
happens hereThe text was updated successfully, but these errors were encountered: