Identityserver4: Latest Identity Server 4 OIDC Form Post doesn't work when run in a WinForms WebBrowser control

Created on 27 Mar 2019  路  13Comments  路  Source: IdentityServer/IdentityServer4

We use an Identity Server 4 website to sign users into to an Outlook Add-In we have developed.

We use the IdentityModel.OidcClient NuGet package to do something similar to the sample found here:

https://github.com/IdentityModel/IdentityModel.OidcClient.Samples/tree/master/WinFormsWebView

In such a scenario, the identity website is hosted in a window containing the WinForms WebBrowser control (essentially an ActiveX version of IE11).

For various compatibility reasons, Microsoft decided that when the web browser is embedded as a control to run it in IE7 document mode by default (unless the page says otherwise).

See here for more info:
https://weblog.west-wind.com/posts/2011/may/21/web-browser-control-specifying-the-ie-version
https://blogs.msdn.microsoft.com/patricka/2015/01/12/controlling-webbrowser-control-compatibility/

The commit c639b3bb0c90e524725250a34204eb596c74a84c in the IdentityServer4 git repo has broken the JavaScript post for us (navigation doesn't happen and the browser stays on the form post page). The change was for issue https://github.com/IdentityServer/IdentityServer4/issues/2947

In this commit this file:

\src\IdentityServer4\src\Endpoints\Results\AuthorizeResult.cs

The hard coded form post HTML changed from this:

private const string FormPostHtml = "<html><head><base target='_self'/></head><body><form method='post' action='{uri}'>{body}<noscript><button>Click to continue</button></noscript></form><script>(function(){document.forms[0].submit();})();</script></body></html>";

to this:

private const string FormPostHtml = "<html><head><base target='_self'/></head><body><form method='post' action='{uri}'>{body}<noscript><button>Click to continue</button></noscript></form><script>window.addEventListener('load', function(){document.forms[0].submit();});</script></body></html>";

The issue is with 'addEventListener' which is not supported in IE7 document mode.

For this to happen we need to tell the browser it is OK to render this using the latest IE version. To do this we need the HTML post page to contain this meta tag: 

<meta http-equiv="X-UA-Compatible" content="IE=edge" />

There doesn't seem to be an easy way to supply our own form post HTML to override the hard coded version. For now I have managed a workaround by writing some aspnet core middleware to detect when we are on a '/connect/authorize' page and inject the compatibility meta tag.

Would it be possible for this meta tag to be added to the FormPostHtml in 'AuthorizeResult.cs' so that it is no longer an issue? Or alternatively provide some way to override it?

I expect there may be a few others who are using identity server from a WinForms WebBrowser control that may run into this issue.

When searching for existing issues, I saw #3121 which is likely to be the same issue and also be solved by this change.

Thank you for your time.

Martin.

bug
Source
picture martinw3
👍9

Most helpful comment

If anyone is still looking for a workaround, an easier option is to add an HTTP header to all the pages:

X-UA-Compatible: IE=edge

This achieves the same as adding the meta tag.

picture martinw3 on 1 Apr 2019
👍7

All 13 comments

We are in the same boat, in this case with WPF (it also uses WebBrowser).

OrihuelaConde picture OrihuelaConde on 28 Mar 2019

If anyone is still looking for a workaround, an easier option is to add an HTTP header to all the pages:

X-UA-Compatible: IE=edge

This achieves the same as adding the meta tag.

martinw3 picture martinw3 on 1 Apr 2019
👍7

Same here when IE switches to non-edge mode when IdentityServer host is in the "Local intranet zone".

Error in F12 tools: _Object doesn't support property or method 'addEventListener'_

ulrichb picture ulrichb on 9 Apr 2019

Is anyone willing to PR - this would speed up the process.

leastprivilege picture leastprivilege on 9 Apr 2019

Yea, I guess all we need is the meta tag in our rendered html. We used to do this, but we decided to no longer support old/deprecated browsers.

brockallen picture brockallen on 9 Apr 2019
👍1

+1 for the meta element. Doesn't really hurt and should fix this scenario.

ulrichb picture ulrichb on 9 Apr 2019

Done.

brockallen picture brockallen on 10 Apr 2019
👍6

@brockallen
How can I get this fix? Do I need to use 2.5 preview or wait for the full release? Is there a way to patch in 2.4?

Jonesie picture Jonesie on 14 May 2019

the milestone says 2.5

brockallen picture brockallen on 14 May 2019
😕1

Use the 2.5 preview if you need the fix now.

leastprivilege picture leastprivilege on 14 May 2019
👍2

You could also add this to your web.config, machine config as a workaround until the fix is deployed. 

  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <clear />
        <add name="X-UA-Compatible" value="IE=Edge" />
      </customHeaders>
    </httpProtocol>
damienbod picture damienbod on 14 May 2019
👍3

Just upgraded to ID4 2.4 and this broke my MS-OFBA integration in Office. Was just trying to find between the version when i found this. Great that it is fixed, will try to solve it with the web.config update above.

Robban1980 picture Robban1980 on 19 Jun 2019
👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 11 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mackie1001 picture mackie1001  路  3Comments
leastprivilege picture leastprivilege  路  3Comments
agilenut picture agilenut  路  3Comments
ekarlso picture ekarlso  路  3Comments
brockallen picture brockallen  路  3Comments