Angular-auth-oidc-client: checkAuth returning null when href target="_blank"

Created on 23 Feb 2021  路  8Comments  路  Source: damienbod/angular-auth-oidc-client

Describe the bug
The OidcSecurityService.checkAuth() returns null when a tab is opened by clicking an href with target="_blank". Since storage=localstorage, it should return true, not null.

To Reproduce
Steps to reproduce the behavior:

  1. Edit the https://github.com/damienbod/angular-auth-oidc-client/blob/main/projects/sample-code-flow-auto-login/ sample
  2. In auth-config.module set storage: localstorage
  3. Add a link somewhere <a href="/" target="_blank">My Link</a>
  4. Start the app, login, then click the link.
  5. Notice the new tab opens and a loop ensues between authentication and autologin.

Expected behavior
Since storage is localstorage, the new tab should know we are authenticated and checkAuth() should return true.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Windows 10
  • Browser Chrome
  • Version 87.0.4280.88 (Official Build) (64-bit)

Additional context
If the tab is opened by right click, "open link in new tab", it works (instead of regular left click).

I think the problem is the library thinks the new tab is a popup. From CheckAuthService:

    if (this.popupService.isCurrentlyInPopup()) {
        this.popupService.sendMessageToMainWindow(currentUrl);
        return of(null);
    }

But it probably shouldn't be doing this when storage=localstorage?

bug
Source
picture arshrp

All 8 comments

Hey thanks, will talk to @damienbod and look into this.

FabianGosebrink picture FabianGosebrink on 24 Feb 2021

Verified this bug occurs even with default storage setting (session).

Steps to reproduce are simple, just add <a href="\" target="_blank">Link</a> to angular-auth-oidc-client-main\projects\sample-code-flow-auto-login\src\app\home\home.component.html, start project, login and click link. Tab will open and get caught in repeated redirection to autologin (due to CheckAuthService code mentioned above).

arshrp picture arshrp on 24 Feb 2021
👍1

Hey, I could not reproduce the issue the way you described. What I did was that I opened a "normal" popup via window.open(...) and with this I could reproduce the issue. Fixed this now in the PR mentioned above and added a button & link to open new popups. I am 99% sure this fixes your issue as I could not reproduce it the way you said.

FabianGosebrink picture FabianGosebrink on 28 Feb 2021
👍1

Appreciate the quick fix. I'm surprised you could not reproduce, as all you have to do is add <a href="\" target="_blank">Link</a> to _angular-auth-oidc-client-main\projects\sample-code-flow-auto-login\src\app\home\home.component.html_, run _npm run start-sample-code-flow-auto-login_ and click the link.

arshrp picture arshrp on 28 Feb 2021

Yeah but maybe we have different browser settings concerning to popups ;) Also I am wondering what a backslash as link should do as you mention a normal slash in the first post. But I got the idea I think. I think I could reproduce it and hopefully fixed it :-) You can test btw and let us know!

FabianGosebrink picture FabianGosebrink on 28 Feb 2021

Verified the PR fixes the issue. Thanks for such a fast turnaround.

arshrp picture arshrp on 28 Feb 2021
🎉1

Above issue still happening for the sample-code-flow-auto-login project, list of changes i've made in sample below

home.component.html

<div>Welcome to home Route</div>

<br />
Is Authenticated: {{ isAuthenticated$ | async }}
<pre>{{ userData$ | async | json }}</pre>

<button (click)="openWindow()">Open normal popup</button>

home.component.ts

export class HomeComponent implements OnInit {
    userData$: Observable<any>;
    isAuthenticated$: Observable<boolean>;

    constructor(public oidcSecurityService: OidcSecurityService) {}

    ngOnInit() {
        this.isAuthenticated$ = this.oidcSecurityService.isAuthenticated$;
        this.userData$ = this.oidcSecurityService.userData$;
    }

    openWindow() {
        window.open('http://localhost:4200', '_blank');
    }
}

here localhost:4200 is another application having same clientId

abdulfousan picture abdulfousan on 3 Mar 2021

Hey @abdulfousan ,

if you open up a new window this is a completely new instance. You are not authenticated in there. You can add a AutoLoginGuard to be redirected to the sts automatically if you want.

FabianGosebrink picture FabianGosebrink on 3 Mar 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jhossy picture jhossy  路  4Comments
haidelber picture haidelber  路  3Comments
Roman1991 picture Roman1991  路  4Comments
Expelz picture Expelz  路  4Comments
Jonesie picture Jonesie  路  4Comments