Angular-auth-oidc-client: QueryParams are getting lost when doing a silent renew

Created on 18 Jun 2020  路  4Comments  路  Source: damienbod/angular-auth-oidc-client

In codeFlowCallbackSilentRenewIframe method you define a callbackContext object with isRenewProcess set to false. isRenewProcess is responsible for showing the status when performing a renew.

const callbackContext = {
            code,
            refreshToken: null,
            state,
            sessionState,
            authResult: null,
            isRenewProcess: false, // true ?!
            jwtKeys: null,
            validationResult: null,
            existingIdToken: null,
        };

https://github.com/damienbod/angular-auth-oidc-client/blob/34a9feee47ffe486ac9c9941a3a6e57534655699/projects/angular-auth-oidc-client/src/lib/iframe/silent-renew.service.ts#L79

When renew process is running it will reset the browser history but it shouldn't.
isRenewProcess in this case is false but must be true.

if (this.historyCleanUpTurnedOn() && !callbackContext.isRenewProcess) {
            this.resetBrowserHistory();
} else {
            this.loggerService.logDebug('history clean up inactive');
}

https://github.com/damienbod/angular-auth-oidc-client/blob/d25469fb6f1162e110bb0b6458637412b8020c2e/projects/angular-auth-oidc-client/src/lib/flows/flows.service.ts#L252

Steps to reproduce the behavior:
The simplest example:

  1. Add query parameters to the protected route
    https://localhost:1234/user?test=test
  2. Wait for the renew process to complete.
  3. Look at URL. It will remove the query params.
    https://localhost:1234/user

Additional context:

In version 10 you are checking if renew process is running before calling authorizedCallbackProcedure method.

https://github.com/damienbod/angular-auth-oidc-client/blob/1df7d5ec07f89862bedeee9f3dfad27a1b82c8fb/projects/angular-auth-oidc-client/src/lib/services/oidc.security.service.ts#L452

https://github.com/damienbod/angular-auth-oidc-client/blob/1df7d5ec07f89862bedeee9f3dfad27a1b82c8fb/projects/angular-auth-oidc-client/src/lib/services/oidc.security.service.ts#L500

bug investigate
Source
picture Roman1991
👍1

All 4 comments

Hey Roman, thanks for the issue. So the bug is that the parameters are dropped when doing a silent renew or that the persisted renew state is not correct? Thanks.

FabianGosebrink picture FabianGosebrink on 18 Jun 2020

Hey Fabian! Yes, the main bug is that the parameters are dropped when doing a silent renew.

Roman1991 picture Roman1991 on 18 Jun 2020
👍1

Which config are you using?

FabianGosebrink picture FabianGosebrink on 18 Jun 2020

This one:

{
stsServer: 'https://localhost:1234',
clientId: '',
redirectUrl: 'http://localhost:1234',
silentRenewUrl: 'http://localhost:1234/silent-renew.html',
responseType: 'code',
scope: '',
postLogoutRedirectUri: 'http://localhost:1234',
silentRenew: true,
startCheckSession: true,
forbiddenRoute: '/forbidden',
unauthorizedRoute: '/unauthorized',
maxIdTokenIatOffsetAllowedInSeconds: 10,
triggerAuthorizationResultEvent: true,
logLevel: 0,
}
Roman1991 picture Roman1991 on 18 Jun 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jhossy picture jhossy  路  4Comments
toddtsic picture toddtsic  路  4Comments
Expelz picture Expelz  路  4Comments
yelhouti picture yelhouti  路  4Comments
sdev95 picture sdev95  路  3Comments