checkSession fails when issuer has a different origin as the check_session_iframe
See original GitHub issueDescribe the bug
When the discovery document contains a different origin for the issuer
as for the check_session_iframe
properties the checkSession will fail with the following error:
Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://issuer.org') does not match the recipient window's origin ('https://ui-endpoint.org').
To Reproduce Steps to reproduce the behavior:
- Login using an IdentityServer that provides a different issuer URL as the check_session_iframe
- Wait for the checkSession to be invoked
- See the error in the console
Expected behavior
checkSession
uses sessionCheckIFrameUrl
if it is provided. Maybe it could/should use the issuer
as a fallback but I’m not sure of that.
Config
const authCodeFlowConfig: AuthConfig = {
issuer: 'https://issuer.org',
redirectUri: window.location.origin,
postLogoutRedirectUri: window.location.origin,
silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html',
sessionChecksEnabled: true,
clientId: 'content_factory',
responseType: 'code',
scope: 'openid',
showDebugInformation: true,
useSilentRefresh: true,
strictDiscoveryDocumentValidation: false
};
this.oauthService.events.subscribe(event => {
if (event instanceof OAuthErrorEvent) {
console.error(event);
} else {
console.warn(event);
}
});
this.oauthService.setStorage(localStorage);
this.oauthService.configure(authCodeFlowConfig);
this.oauthService.setupAutomaticSilentRefresh();
await this.oauthService.loadDiscoveryDocumentAndTryLogin();
this.isDoneLoadingSubject$.next(true);
{
"issuer": "https://issuer.org",
"jwks_uri": "https://issuer.org/.well-known/openid-configuration/jwks",
"authorization_endpoint": "https://ui-endpoint.org/connect/authorize",
"token_endpoint": "https://ui-endpoint.org/connect/token",
"userinfo_endpoint": "https://ui-endpoint.org/connect/userinfo",
"end_session_endpoint": "https://ui-endpoint.org/connect/endsession",
"check_session_iframe": "https://ui-endpoint.org/connect/checksession",
"revocation_endpoint": "https://ui-endpoint.org/connect/revocation",
"introspection_endpoint": "https://ui-endpoint.org/connect/introspect",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"backchannel_logout_supported": true,
"backchannel_logout_session_supported": true,
"scopes_supported": [
"openid",
"profile",
"offline_access"
],
"claims_supported": [
"sub"
],
"grant_types_supported": [
"authorization_code",
],
"response_types_supported": [
"code",
"token",
"id_token",
"id_token token",
"code id_token",
"code token",
"code id_token token"
],
"response_modes_supported": [
"form_post",
"query",
"fragment"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"request_parameter_supported": true
}
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:18
Top Results From Across the Web
Check session iframe - Connect2id
This instructs the server to return a new ID token without any user interaction, unless the user is no longer authenticated or client...
Read more >IdentityServer/IdentityServer4 - Gitter
"CheckSessionIFrame: error message from check session op iframe" ... I'm using the same UserManager initializer, and have a “separate” route for dealing ...
Read more >OAuthService - angular-oauth2-oidc
Defines whether every url provided by the discovery document has to start with the issuer's url. Public Optional timeoutFactor. Type : number. Default...
Read more >oidc-client CheckSessionIFrame fires properly one time, then ...
For oidc-client to work with silent renew, you need to have your aurelia-app on an element that is not the body, so you...
Read more >OpenID Connect | Radiant Logic, Inc.
If the user has an active session with the CFS, authentication may be skipped. ... Supported scopes; End session endpoint and check session...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
As a temporary (hopefully) workaround I can override the prototype’s
checkSession
method.I can confirm that with the fixes proposed by @j2jensen (fixing the
originalCheckSession
reference andapply
ing againstthis
) it works correctly in this scenario.