You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When there is a state or redirect_uri mismatch, an event should emitted that can be used to detect this mismatch instead of simply logging to the console.
Describe the problem
When an authorization request fails due to a state or request_uri mismatch, there is nothing to hook into or listen to, that can be used to detect when that happens.
[REQUIRED] Actual Behavior
As part of our OIDC PKCE flow for authenticating application users, we use the completeAuthorizationRequestIfPossible() method to process a response from the OpenID Connect Provider.
We noticed an issue in our application where users were bookmarking (or their browser autocompletes to) the /callback route in our application. This callback route uses AppAuth-JS to process the response from the IdP. The problem is, users are bookmarking this callback route containing an old auth code and state.
When a user accesses this URL, it ultimately leads to a state mismatch as there is no pending request in local storage.
From what I can see, there is no event emitted that we can listen to when this happens or relevant error thrown, which leaves our application "idle" without us knowing.
Is there currently something that we can hook into or listen to which indicates that this has happened? If not, can something be provided?
Note: There are other instances that can lead to this failure path e.g. a user bookmarking an OpenID Connect Provider URL containing our application's redirect_uri but a state from a previous request. After authenticating with the IdP, the user is redirected successfully but hits a "dead end".
[REQUIRED] Steps to reproduce the behavior
Options to reproduce:
Remove the pending request from the browser local storage before attempting to process a response OR
Include an invalid state in the URL that does not match the state in the pending request stored in the browser local storage
Expected Behaviour
[REQUIRED] Describe expected behavior
When there is a
stateorredirect_urimismatch, an event should emitted that can be used to detect this mismatch instead of simply logging to the console.Describe the problem
When an authorization request fails due to a
stateorrequest_urimismatch, there is nothing to hook into or listen to, that can be used to detect when that happens.[REQUIRED] Actual Behavior
As part of our OIDC PKCE flow for authenticating application users, we use the
completeAuthorizationRequestIfPossible()method to process a response from the OpenID Connect Provider.We noticed an issue in our application where users were bookmarking (or their browser autocompletes to) the
/callbackroute in our application. This callback route uses AppAuth-JS to process the response from the IdP. The problem is, users are bookmarking this callback route containing an old authcodeandstate.When a user accesses this URL, it ultimately leads to a state mismatch as there is no pending request in local storage.
At this point, the authentication process ends with a log to the console.
From what I can see, there is no event emitted that we can listen to when this happens or relevant error thrown, which leaves our application "idle" without us knowing.
Is there currently something that we can hook into or listen to which indicates that this has happened?
If not, can something be provided?
[REQUIRED] Steps to reproduce the behavior
Options to reproduce:
statein the URL that does not match the state in the pending request stored in the browser local storage[REQUIRED] Environment
The text was updated successfully, but these errors were encountered: