Angular-auth-oidc-client: [Bug Report] - "aud do not match" error

Created on 24 Nov 2020  Â·  10Comments  Â·  Source: damienbod/angular-auth-oidc-client

Describe the bug
I have setup Keycloak and implemented the oidc client as per your example projects.
The issue is that when validating the new auth token with the refresh token flow, I recieve the following error:

As can be seen by the debug trace: "aud do not match: ehealth4u-ui,fhir ehealth4u-ui,fhir"
However, these two are the exact same:
decodedIdToken.aud => ehealth4u-ui,fhir
newIdToken.aud => ehealth4u-ui,fhir

The implementation of the validation is here:
https://github.com/damienbod/angular-auth-oidc-client/blob/db2ba2a81196f697d5e7c7ecf9e6908d86c4e35c/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts#L65

It seems the validtion isn't working as expected, as these two are equals, and should never have failed validation.

if (decodedIdToken.aud !== newIdToken.aud) {
            this.loggerService.logDebug(`aud do not match: ${decodedIdToken.aud} ${newIdToken.aud}`);
            return false;
}

**aud do not match: ehealth4u-ui,fhir ehealth4u-ui,fhir**
logger.service.ts:30 authorizedCallback pre, post id_token claims do not match in refresh
logWarning @ logger.service.ts:30
validateState @ state-validation.service.ts:205
getValidatedStateResult @ state-validation.service.ts:28
callbackStateValidation @ flows.service.ts:291
(anonymous) @ flows.service.ts:76
_next @ switchMap.ts:121
next @ Subscriber.ts:99
notifyNext @ switchMap.ts:166
_next @ innerSubscribe.ts:30
next @ Subscriber.ts:99
_next @ Subscriber.ts:139
next @ Subscriber.ts:99
.
.
.
(anonymous) @ zone.js:891
ZoneDelegate.invokeTask @ zone.js:421
onInvokeTask @ core.js:27492
ZoneDelegate.invokeTask @ zone.js:420
Zone.runTask @ zone.js:188
drainMicroTaskQueue @ zone.js:601
Promise.then (async)
scheduleMicroTask @ zone.js:584
ZoneDelegate.scheduleTask @ zone.js:410
Zone.scheduleTask @ zone.js:231
Zone.scheduleMicroTask @ zone.js:251
scheduleResolveOrReject @ zone.js:881
ZoneAwarePromise.then @ zone.js:1027
bootstrapModule @ core.js:28092
zUnb @ main.ts:11
__webpack_require__ @ bootstrap:84
0 @ practitioner-layout.component.ts:9
__webpack_require__ @ bootstrap:84
checkDeferredModules @ bootstrap:45
webpackJsonpCallback @ bootstrap:32
(anonymous) @ main.js:1
Show 426 more frames
logger.service.ts:46 AuthorizedCallback token(s) invalid
logger.service.ts:30 authorizedCallback, token(s) validation failed, resetting. Hash:

To Reproduce
Steps to reproduce the behavior:
1) Setup of OIDC configuration:

 oidcConfigService.withConfig({
          stsServer: 'https://auth.domain.com/auth/realms/myappname',
          redirectUrl: window.location.origin,
          postLogoutRedirectUri: window.location.origin,
          postLoginRoute: 'postlogin' ,
          clientId: 'ehealth4u-ui',
          scope: 'openid profile roles email offline_access fhir',
          responseType: 'code',
          unauthorizedRoute: '/401' ,
          **silentRenew: true,
          useRefreshToken: true,
          silentRenewUrl: `${window.location.origin}/silent-renew.html`,**
          logLevel: LogLevel.Debug,
          startCheckSession: true,
          ignoreNonceAfterRefresh: true,
      });

2) Login and obtain a valid access and refresh token.

3) Wait for the token to expire

4) Review error in debug console, as provided above.

Expected behavior
Validation should not fail for refresh when useRefreshToken is set to true.

Desktop (please complete the following information):

  • OS: Windows 10
  • Browser:Chrome
  • Version: Version 86.0.4240.198 (Official Build) (64-bit)

Additional context
Auth Server: Keycloak
Server Version: 11.0.2

enhancement investigate
Source
picture psavva

All 10 comments

Hey thanks for the issue. In our sample this works, so have you checked if the string has some spaces anywhere before or after?

FabianGosebrink picture FabianGosebrink on 29 Jan 2021

I think it boils down to the fact that I have 2 audiences configured, which the ordering of each audience as returned from keycloak is not guaranteed to be the same in both scenarios.

Each audience should be checked separately, and not as a string, but rather validate that each audience defined in the array is the same.

psavva picture psavva on 30 Jan 2021
👍1

@psavva This is required from the OIDC specs. The old and the new aud in a token refresh have to exactly match. In the first authentication, the array is checked.

// its aud Claim Value MUST be the same as in the ID Token issued when the original authentication occurred,

damienbod picture damienbod on 30 Jan 2021

They do exactly match, but not necessarily in the same order.

On Sat, 30 Jan 2021, 08:28 damienbod, notifications@github.com wrote:

@psavva https://github.com/psavva This is required from the OIDC specs.
The old and the new aud in a token refresh have to exactly match.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/damienbod/angular-auth-oidc-client/issues/904#issuecomment-770166467,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AALDFJWFURZT7WOM2KRSKHLS4ORH3ANCNFSM4UA4NFLA
.

psavva picture psavva on 30 Jan 2021

@psavva we add support for this.

The old and new aud claim in the tokens are not the same. But if all the elements are the same, then this should be supported as well. I'll add an array validation to support this.

control that all elements are in both arrays and that the length is the same.

Will add this to the next version

Greetings Damien

damienbod picture damienbod on 30 Jan 2021

refresh process DEF

changes required here:

https://github.com/damienbod/angular-auth-oidc-client/blob/main/projects/angular-auth-oidc-client/src/lib/validation/state-validation.service.ts#L65

if aud == string => no changes

if aud == array then

  • old array length == new array length
  • validate all elements in old array in new array

old [x,y], new [y,x] valid
old [x,y,z], new [y,z,x] valid

old [x,y,z], new [x,y] invalid
old [x], new [y,x] invalid
old [x], new "x" (string) invalid
old "x" (string) , [x] new invalid

damienbod picture damienbod on 30 Jan 2021

That is a perfect solution damienbod.

Thank you

On Sat, Jan 30, 2021 at 11:43 AM damienbod notifications@github.com wrote:

refresh process DEF

if aud == string => no changes

if aud == array then

  • old array length == new array length
  • validate all elements in old array in new array

old [x,y], new [y,x] valid
old [x,y,z], new [y,z,x] valid

old [x,y,z], new [x,y] invalid
old [x], new [y,x] invalid
old [x], new "x" (string) invalid
old "x" (string) , [x] new invalid

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/damienbod/angular-auth-oidc-client/issues/904#issuecomment-770185245,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AALDFJWOBMWISONPFNYRISDS4PIFTANCNFSM4UA4NFLA
.

psavva picture psavva on 30 Jan 2021
👍1

@psavva we just merged a PR hopefully fixing your issue. It will be in the next release. @damienbod

FabianGosebrink picture FabianGosebrink on 30 Jan 2021
🎉1

Thank you.

On Sat, 30 Jan 2021, 16:54 Fabian Gosebrink, notifications@github.com
wrote:

@psavva https://github.com/psavva we just merged a PR hopefully fixing
your issue. It will be in the next release. @damienbod
https://github.com/damienbod

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/damienbod/angular-auth-oidc-client/issues/904#issuecomment-770223896,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AALDFJT2XOILTIA2KVTDGITS4QMUBANCNFSM4UA4NFLA
.

psavva picture psavva on 30 Jan 2021

released

damienbod picture damienbod on 7 Feb 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

brentos99 picture brentos99  Â·  4Comments
nizarkhsib picture nizarkhsib  Â·  4Comments
sdev95 picture sdev95  Â·  3Comments
toddtsic picture toddtsic  Â·  4Comments
vit100 picture vit100  Â·  4Comments