Oidc-client-js: CheckSessionIFrame resulting in a redirect loop when trying to login
I am using IdentityServer4 for local user authentication. We have three components in our app architecture. The protected API provider, the UI driven by the API and IdentityServer itself. These instances are behind an Nginx server. The endpoints configured for identity server is https://localhost/auth, the API is https://localhost/api and the UI is https://localhost.
In this setup, whenever the user logs-in the browser will start a nonstop redirect loop. It seems that the redirect occurs because the CheckSessionIFrame for some reason emits a changed message rather than an unchanged one.
UserManager settings passed to the UserManager is as follows:
const settings: any = AUTH_CONFIG;
settings.automaticSilentRenew = true;
settings.includeIdTokenInSilentRenew = true;
settings.scope = 'openid profile api.read api.add api.delete api.exec-cap';
settings.client_id = 'app-spa-client';
settings.response_type = 'code';
settings.query_status_response_type = 'code';
settings.authority = '/auth';
settings.redirect_uri = '/try/login-callback';
The client is registered in the IdentityServer as:
private static Client GetSpaClient()
{
Client spa = new Client
{
Enabled = true,
ClientId = "app-spa-client",
RequireClientSecret = false,
Description = "API Default SPA Client",
ClientName = "App UI",
AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
RequireConsent = false,
AllowOfflineAccess = false,
AlwaysIncludeUserClaimsInIdToken = true,
AllowedScopes =
{
ApiResources.ApiAdd.Name,
ApiResources.ApiDelete.Name,
ApiResources.ApiExecCAP.Name,
ApiResources.ApiRead.Name,
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
"roles"
},
RedirectUris =
{
"http://localhost:4200/try/login-callback", // dev
"https://localhost/try/login-callback", // docker dev
"https://192.168.1.150/try/login-callback", // staging
$"{ServerUrl}/try/login-callback", //production
"/try/login-callback"
},
PostLogoutRedirectUris =
{
"http://localhost:4200/index.html", // dev
"https://localhost/index.html", // docker dev
"https://192.168.1.150/index.html", // staging
$"{ServerUrl}/index.html" //production
},
AllowedCorsOrigins = { "http://localhost:4200" } // angular dev server
};
return spa;
}
It seems that setting monitorSession to false on the UserManagerSettings passed to UserManager fixes the issue. Any reason why monitorSession fails in my scenario?
wsimf
All 4 comments
Could this be related to: https://github.com/IdentityModel/oidc-client-js/issues/1074
Are you experiencing the issue in all browsers?
gustavrannestig
on 18 May 2020
Yea, possibly. Anything cross-site wiht iframes is basically now broken on the web and should be avoided.
brockallen
on 18 May 2020
Could this be related to: https://github.com/IdentityModel/oidc-client-js/issues/1074
Are you experiencing the issue in all browsers?
Thanks, looks like there鈥檚 some connection. But I鈥檓 experiencing this on both Firfox and Chrome. Interestingly only happens when running in a docker container
wsimf
on 29 May 2020
All set on this issue -- can we close?
brockallen
on 21 Jul 2020
Related issues
shesellsanctuary
路
4Comments
dotli
路
3Comments
LEW21
路
4Comments
slug56
路
4Comments
primozs
路
3Comments
Most helpful comment
Yea, possibly. Anything cross-site wiht iframes is basically now broken on the web and should be avoided.