Angular-oauth2-oidc: "validating access_token failed. wrong state/nonce." when performing silentRefresh manually
Angular version: 5.2.7
angular-oauth2-oidc version: 3.1
I have the following setup:
oauthConfig.clientId = authConfig.clientId;
oauthConfig.redirectUri = this.checkURL(authConfig.redirectUri);
oauthConfig.scope = authConfig.scope;
oauthConfig.oidc = true;
oauthConfig.issuer = this.checkURL(authConfig.issuer);
oauthConfig.requireHttps = authConfig.requireHttps;
oauthConfig.silentRefreshRedirectUri = this.checkURL(authConfig.redirectUri + /silent-refresh.html');
this.oauthService.configure(oauthConfig);
this.oauthService.setupAutomaticSilentRefresh();
When performing a silent refresh, I need to get the new access token and pass it to other parts of the application. This is how I attempt to get the token:
this.oauthService.events.subscribe(({ type }) => {
switch (type) {
case 'token_refreshed':{
//This event doesn't get detected when the automatic silent refresh happens
break;
}
case 'silently_refreshed':{
//This event doesn't get detected when the automatic silent refresh happens
break;
}
case 'token_expires':{
this.oauthService.silentRefresh().then(()=>{
//Here I want to pass the new token to the other parts of the app
}).catch((err)=>{ return; });
break;
}
}
});
When I manually do the silent refresh, I get an error that says "validating access_token failed. wrong state/nonce.".
I have auto-silent refresh set up as well, however the events are not triggered when the silent refresh happens, so I can't pass the token to the other parts of the application there either.
The silent refresh request always returns 302 error.
Am I doing something wrong?
I'm using initImplicitFlow() BTW.
gustavshf
All 5 comments
302 should be fine. It's just the redirect back to your SPA.
This issue occours most of the time due to a race conditions. Is it possible that "at the same time" another part of the software is calling silentRefresh or initImplicitFlow?
In this case, the following sequence would happen:
- silentRefresh creates a nonce (let's call it nonce1) and requests redirect
- other silentRefresh/ initImplicitFlow overrides (let's call it nonce2)
- token comes back with original nonce (nonce1)
- lib detects that nonce1 !== nonce2 --> error
manfredsteyer
on 18 Nov 2018
@manfredsteyer
Thank you for the response!
Just double checked the application - there is no way that any other part of the application is calling silent refresh or init implicit flow. Are there any other possible reasons?
Another weird thing is that if I have automatic silent refresh set up, this.oauthService.events.subscribe only detects 'token-expires' event and does not detect the 'silently_refreshed' event.
gustavshf
on 19 Nov 2018
can you reproduce this using a simple example?
manfredsteyer
on 26 Nov 2018
Never mind, turns out I was using wrong redirectUri in the config. This issue can be closed.
gustavshf
on 27 Nov 2018
@gustavshf Good to hear you found the root cause. I think you can close the issue yourself, should be a button next to the green "Comment" button at the bottom of the page.
jeroenheijmans
on 27 Nov 2018
Related issues
jeroenheijmans
路
4Comments
uzzafar
路
4Comments
godhar
路
3Comments
kneefer
路
3Comments
jeroenheijmans
路
4Comments
Most helpful comment
302 should be fine. It's just the redirect back to your SPA.
This issue occours most of the time due to a race conditions. Is it possible that "at the same time" another part of the software is calling
silentRefreshorinitImplicitFlow?In this case, the following sequence would happen: