Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

checkSession fails when issuer has a different origin as the check_session_iframe

See original GitHub issue

Describe the bug When the discovery document contains a different origin for the issuer as for the check_session_iframe properties the checkSession will fail with the following error: Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://issuer.org') does not match the recipient window's origin ('https://ui-endpoint.org').

To Reproduce Steps to reproduce the behavior:

Login using an IdentityServer that provides a different issuer URL as the check_session_iframe
Wait for the checkSession to be invoked
See the error in the console

Expected behavior checkSession uses sessionCheckIFrameUrl if it is provided. Maybe it could/should use the issuer as a fallback but I’m not sure of that.

Config

const authCodeFlowConfig: AuthConfig = {
	issuer: 'https://issuer.org',
	redirectUri: window.location.origin,
	postLogoutRedirectUri: window.location.origin,
	silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html',
	sessionChecksEnabled: true,
	clientId: 'content_factory',
	responseType: 'code',
	scope: 'openid',
	showDebugInformation: true,
	useSilentRefresh: true,
	strictDiscoveryDocumentValidation: false
};

this.oauthService.events.subscribe(event => {
	if (event instanceof OAuthErrorEvent) {
		console.error(event);
	} else {
		console.warn(event);
	}
});

this.oauthService.setStorage(localStorage);
this.oauthService.configure(authCodeFlowConfig);
this.oauthService.setupAutomaticSilentRefresh();

await this.oauthService.loadDiscoveryDocumentAndTryLogin();

this.isDoneLoadingSubject$.next(true);

{
	"issuer": "https://issuer.org",
	"jwks_uri": "https://issuer.org/.well-known/openid-configuration/jwks",
	"authorization_endpoint": "https://ui-endpoint.org/connect/authorize",
	"token_endpoint": "https://ui-endpoint.org/connect/token",
	"userinfo_endpoint": "https://ui-endpoint.org/connect/userinfo",
	"end_session_endpoint": "https://ui-endpoint.org/connect/endsession",
	"check_session_iframe": "https://ui-endpoint.org/connect/checksession",
	"revocation_endpoint": "https://ui-endpoint.org/connect/revocation",
	"introspection_endpoint": "https://ui-endpoint.org/connect/introspect",
	"frontchannel_logout_supported": true,
	"frontchannel_logout_session_supported": true,
	"backchannel_logout_supported": true,
	"backchannel_logout_session_supported": true,
	"scopes_supported": [
		"openid",
		"profile",
		"offline_access"
	],
	"claims_supported": [
		"sub"
	],
	"grant_types_supported": [
		"authorization_code",
	],
	"response_types_supported": [
		"code",
		"token",
		"id_token",
		"id_token token",
		"code id_token",
		"code token",
		"code id_token token"
	],
	"response_modes_supported": [
		"form_post",
		"query",
		"fragment"
	],
	"token_endpoint_auth_methods_supported": [
		"client_secret_basic",
		"client_secret_post"
	],
	"subject_types_supported": [
		"public"
	],
	"id_token_signing_alg_values_supported": [
		"RS256"
	],
	"code_challenge_methods_supported": [
		"plain",
		"S256"
	],
	"request_parameter_supported": true
}

Issue Analytics

State:
Created 3 years ago
Reactions:2
Comments:18

Top GitHub Comments

1reaction

MartijnKooijcommented, Jul 9, 2020

As a temporary (hopefully) workaround I can override the prototype’s checkSession method.

const originalCheckSession = () => OAuthService.prototype.checkSession;
OAuthService.prototype.checkSession = function () {

	const originalIssuer = this.issuer;
	const sessionCheckIFrameOrigin = new URL(this.sessionCheckIFrameUrl || this.issuer).origin;

	this.issuer = sessionCheckIFrameOrigin;

	originalCheckSession();

	this.issuer = originalIssuer;
};

0reactions

atkulpcommented, Feb 4, 2022

I can confirm that with the fixes proposed by @j2jensen (fixing the originalCheckSession reference and applying against this) it works correctly in this scenario.

Top Results From Across the Web

Check session iframe - Connect2id

This instructs the server to return a new ID token without any user interaction, unless the user is no longer authenticated or client...

IdentityServer/IdentityServer4 - Gitter

"CheckSessionIFrame: error message from check session op iframe" ... I'm using the same UserManager initializer, and have a “separate” route for dealing ...

OAuthService - angular-oauth2-oidc

Defines whether every url provided by the discovery document has to start with the issuer's url. Public Optional timeoutFactor. Type : number. Default...

oidc-client CheckSessionIFrame fires properly one time, then ...

For oidc-client to work with silent renew, you need to have your aurelia-app on an element that is not the body, so you...

OpenID Connect | Radiant Logic, Inc.

If the user has an active session with the CFS, authentication may be skipped. ... Supported scopes; End session endpoint and check session...