Angular-oauth2-oidc: ValidationHandler issues in version 5.0.0

Created on 24 Oct 2018  路  6Comments  路  Source: manfredsteyer/angular-oauth2-oidc

Hey! First off, good work on reducing bundle-size when moving to browser-API's instead of 3rd party libs! However, there's some new issues with the JwksValidationHandler:

First off, the inferred algorithm is missing a hyphen when compared to the accepted algorithms listed on the API documentation for SubtleCrypto#digest:

https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/digest

In my case the inferred algorithm is sha256, but the missing hyphen leaves me with this exception when it runs crypto.subtle.digest():

DOMException: Algorithm: Unrecognized name

I think this can be sorted by adding the hyphen here: https://github.com/manfredsteyer/angular-oauth2-oidc/blob/master/projects/lib/src/token-validation/validation-handler.ts#L78 so the inferred algorithm would be sha-256

Secondly, in ValidationHandler#validateAtHash I get this error:
angular-oauth2-oidc.js?5916:1185 DOMException: Failed to execute 'btoa' on 'Window': The string to be encoded contains characters outside of the Latin1 range. when running btoa(leftMostHalf) located here: https://github.com/manfredsteyer/angular-oauth2-oidc/blob/master/projects/lib/src/token-validation/validation-handler.ts#L49

picture ampled
👍5

Most helpful comment

Thx again for this report. Unfortunately, we've tested this under the wrong circumstances. Now it works as before using jsrasign.

But we are sill looking into ways to get rid of it.

https://github.com/manfredsteyer/angular-oauth2-oidc/releases/tag/5.0.2

picture manfredsteyer on 24 Oct 2018
👍3

All 6 comments

Same with me.
When using JwksValidationHandler i get the error in console:
2018-10-24 12_48_10-about - aistoxt

of course the error goes away when using a NullValidationHandler

enterprisebug picture enterprisebug on 24 Oct 2018
👍3

If i start my app in development mode with the --host parameter under Chrome the window.crypto Object is empty (Crypto聽{}). This will produce an error in the calcHash() method (trying to access subtle.digest()). Starting the app on localhost will result in the same errors as mentioned above.

nk6 picture nk6 on 24 Oct 2018

Hi. I also have both those errors - with algorithm name and with btoa(leftMostHalf)

SonicGD picture SonicGD on 24 Oct 2018

Thx for reporting this. Currently, I'm looking into it. Can you give me a hint how to reproduce this issue? I didn't see it in the sample app so far. What's different there?

manfredsteyer picture manfredsteyer on 24 Oct 2018

Thx again for this report. Unfortunately, we've tested this under the wrong circumstances. Now it works as before using jsrasign.

But we are sill looking into ways to get rid of it.

https://github.com/manfredsteyer/angular-oauth2-oidc/releases/tag/5.0.2

manfredsteyer picture manfredsteyer on 24 Oct 2018
👍3

@manfredsteyer what's the specific issue holding this up? According to MDN (https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto) the only different implementation is IE11 that returns a CryptoOperation instead of a Promise.

But that could be worked around i suppose?

jpzwarte picture jpzwarte on 2 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Swissbite picture Swissbite  路  4Comments
zulander1 picture zulander1  路  4Comments
PaulienVa picture PaulienVa  路  4Comments
prmces picture prmces  路  4Comments
andrea-spotsoftware picture andrea-spotsoftware  路  3Comments