Oidc-client-js: signinSilent not working
Hi,
I have the oidc implemented following the Angular2 example.
It works to signinRedirect and to signoutRedirect , also automaticSilentRenew is set to true and works, when the token expires I receive a new valid one.
The issue is that the signinSilent is not working, when I call the method I'm still logged in with a valid token and I receive :
user not found in storage
signinRedirectCallback successful, signed in sub: 8608ac66dd2d4cfb122e40d0c6050e43
Error: Frame window timed out
Even the frame error I receive a new valid token, so it almost works fine.
I also managed to debug the silent iframe link, trying in a new tab it says :
No matching state found in storage
user not found in storage
Any ideas ?
PS : The oidc config is set based on Angular2 example, redirect_uri and silent_redirect_uri are simple valid HTML files, are not part of the SPA (same as in the example)
tibbus
All 10 comments
I have a single redirect uri for login and silent login as just component in my angular spa an had same issue when was trying to use silent login:
"authority": "http://localhost:5000",
"redirect_uri": "http://localhost:4201/login",
"post_logout_redirect_uri" : "http://localhost:4201/login",
"automaticSilentRenew": true,
"silent_redirect_uri": "http://localhost:4201/login"
My error when silent login:
Error: Frame window timed out
core.es5.js:1084 ERROR Error: Uncaught (in promise): Error: Frame window timed out
Error: Frame window timed out
at t._error (oidc-client.min.js:74) [angular]
at t._timeout (oidc-client.min.js:74) [angular]
at Object.onInvokeTask (core.es5.js:4140) [angular]
at timer (zone.js:1655) [<root>]
at t._error (oidc-client.min.js:74) [angular]
at t._timeout (oidc-client.min.js:74) [angular]
at Object.onInvokeTask (core.es5.js:4140) [angular]
at timer (zone.js:1655) [<root>]
at resolvePromise (zone.js:710) [angular]
at resolvePromise (zone.js:681) [angular]
at polyfills.bundle.js:6308:17 [angular]
at Object.onInvokeTask (core.es5.js:4140) [angular]
at drainMicroTaskQueue (zone.js:591) [<root>]
at ZoneTask.invoke (zone.js:464) [<root>]
at timer (zone.js:1655) [<root>]
kuncevic
on 27 Jun 2017
signinSilent():
Just figure out that my frame time out error happened when I am calling silent sign in manually
this.userManager.signinSilent().then((user: User) => {
}
However, token gets renewed just before that error taking place.
So this way I got two authorize requests the first one with the current token is OK
The second one with a new token that getting canceled.
Both requests has prompt=none so this is might be a case https://github.com/IdentityModel/oidc-client-js/issues/172#issuecomment-257851885
The iframe will time out if the authorization endpoint does not honor prompt=none, or if it's showing an error of some sort (that the user can't see).
http://docs.identityserver.io/en/release/endpoints/authorize.html
prompt = noneno UI will be shown during the request. If this is not possible (e.g. because the user has to sign in or consent) an error is returned
Currently as a dirty work around in order to get the new issued token I just calling getUser() straight after signinSilent().then() promise failing with frame time out
Thoughts?
"automaticSilentRenew": true:
Also I notice that in case of automatic renew "automaticSilentRenew": true, there is no such error but it is automatically happening only once.
So say I get logged in and then my token gets renewed automatically just once. Is there any limits on that? My AccessToknLifeTime is 180 sec.
Versions:
angular 4.1.3
zone.js 0.8.9
oidc-client 1.3.0
kuncevic
on 27 Jun 2017
Solution
I just looked at the sample and configured that with my identity server https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Clients/src/JsOidc/wwwroot to make sure that it is working. Also I added silentSignin() to that to make sure it is works:
function silent() {
mgr.signinSilent({ scope: 'openid profile role myApi', response_type: 'id_token token' }).then(function () {
display("#response", { message: "Token has being renewed" });
});
}
<li><button class="btn btn-default" onclick="silent()">Renew</button></li>
Then in my angular SPA I setup separate components to handle signinSilentCallback and signinRedirectCallback etc to make it exactly looking like in a sample. But eventually I got in to the same Frame window timeout issue. So looks like iframe being interfering with zone.js or something like that.
So after the above exercise only difference between my SPA and a sample was that the sample used html files for callbacks but I have my SPA components responsible for that. So after I changed components to html files in my SPA the Frame windows timed out error has gone but now because of that I got another completely different issue referencing oidc-client library in html file.
Reference oidc in html file issue and solution
OK my another issue was is that when I had oidc-client as a part of the vendor.bundle.js when I referenced that in my html files I had an error Uncaught ReferenceError: Oidc is not defined probably due to webpack and rollup treeshaking.
So there is two options to work it out:
- Just reference some cdn version of library like https://cdnjs.cloudflare.com/ajax/libs/oidc-client/1.3.0/oidc-client.js in
htmlfile - In case of angular cli use script section to make
oidc-client.jsa separate bundle like{ "input": "../node_modules/oidc-client/dist/oidc-client", "output": "oidc-client", "lazy": true }and just reference that inhtmlfile<script src="oidc-client.bundle.js"></script>
I went with option 2 as it is working better for me.
kuncevic
on 30 Jun 2017
I'm already using separate files for redirects, not sure what's wrong with mine
tibbus
on 30 Jun 2017
@tibbus try to setup https://github.com/IdentityServer/IdentityServer4.Samples/tree/release/Clients/src/JsOidc/wwwroot against your idserv and see if it is working.
kuncevic
on 30 Jun 2017
@kuncevic Thanks, that's a good idea, I tried before with the angular2 sample and didn't worked, but this one is more simple and clear.
From my perspective it looks like a server error not client, but will see.
In my case also is weird as autoRenew works, it says in the logs that didn't found the user but it renews the token successfully multiple times :
signinSilent successful, signed in sub: 8608ac66dd2d4cfb122e40d0c6050e43
user not found in storage
signinSilent successful, signed in sub: 8608ac66dd2d4cfb122e40d0c6050e43
user not found in storage
signinSilent successful, signed in sub: 8608ac66dd2d4cfb122e40d0c6050e43
user not found in storage
signinSilent successful, signed in sub: 8608ac66dd2d4cfb122e40d0c6050e43
user not found in storage
signinSilent successful, signed in sub: 8608ac66dd2d4cfb122e40d0c6050e43
All set on this issue -- can we close?
brockallen
on 11 Aug 2017
At this moment I use the auto silent renew instead of this and don't have the time to test it to see where the issue was, so I will close it.
tibbus
on 12 Aug 2017
@tibbus Do you get this issue while open the application in multiple tabs ?
abelkbil
on 11 Feb 2019
@kuncevic Thank you, really appreciate your answer above. I was getting the timeout error because I was referencing the oidc client through a CDN and I had caching disabled locally, so after various intervals there would be an error retrieving the client library resulting in a frame timeout. Having a local copy in my assets folder resolved the issue. This information may help others with the same issue.
asad-c
on 3 Jan 2020
Related issues
primozs
路
3Comments
saeed-badar
路
4Comments
bialabs
路
3Comments
pottabathini
路
5Comments
LEW21
路
4Comments
Most helpful comment
I have a single redirect uri for
loginandsilent loginas just component in my angular spa an had same issue when was trying to usesilent login:My error when
silent login: