Validating access_token failed, wrong state/nonce
See original GitHub issueI’ve integrated OAuth Implicit flow in Angular 8 App, I’ve been getting below issue initial time especially in Firefox (incognito).
Validating access_token failed, wrong state/nonce
Initial time, there is no nonce in the local storage, how can it validateNonce (angular-oauth2-oidc.js - 2358 line) execute? This method is being thrown an exception initial time.
if (this.configService.auth) {
console.log(this.configService.auth.authRedirectUri + "*&&&&&&&&&&&&&&&&&&dd");
this.authConfig = {
issuer: 'https://login.microsoftonline.com/XXXXXX/v2.0',
redirectUri: this.configService.auth.authRedirectUri,
clientId: this.configService.auth.clientId,
scope: 'openid profile email',
strictDiscoveryDocumentValidation: false,
oidc: true,
showDebugInformation: true,
// URL of the SPA to redirect the user after silent refresh
// silentRefreshRedirectUri: window.location.origin + '/login.html',
};
this.oauthService.configure(this.authConfig);
this.oauthService.setStorage(localStorage);
this.oauthService.tokenValidationHandler = new JwksValidationHandler();
this.oauthService.setupAutomaticSilentRefresh();
// this.oauthService.silentRefreshRedirectUri = window.location.origin + '/login.html';
}
// trylogin funtion
tryLogin(state?: any): Observable<boolean | any> {
console.log("***********Try Login", state);
return Observable.create(observer => {
return this.oauthService.loadDiscoveryDocument(this.configService.auth.openIdDocument).then(() => {
console.log("***********Try Login", state);
return this.oauthService.tryLogin({}).then(() => {
observer.next(state ? state : this.isLoggedIn);
observer.complete();
}).catch(err => {
observer.error(err);
observer.complete();
});
});
});
}
Desktop (please complete the following information):
- OS: Mac, Windows
- Browser Firefox
- Version Latest
Issue Analytics
- State:
- Created 4 years ago
- Reactions:4
- Comments:37 (2 by maintainers)
Top Results From Across the Web
Validating access_token failed, wrong state/nonce
I am authenticating using 'angular-oauth2-oidc' with ping federation, authentication is working good in Chrome browser but in Edge we are ...
Read more >Angular-oauth2-oidc: Error validating tokens. Wrong nonce.
After integrating the Angular-oauth2-oidc library in our application, we got the following error message when invoking the Implicit Flow:.
Read more >Angular UI Bug: Error Refreshing Token, Wrong State/Nonce ...
After entering credentials, verifying with two factor, and redirecting to the Angular home page, the user is still not logged in. They click ......
Read more >Validating access_token failed, wrong state/nonce
Coming soon: A brand new website interface for an even better experience!
Read more >IdentityServer/IdentityServer4 - Gitter
Hey guys, im trying to implement IS4 on OWIN with angular-oauth2-oidc but im getting a "Validating access_token failed, wrong state/nonce.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
I wrote a workaround that stores the nonce and pkce verifier in localstorage. I would like to understand what’s going on and why only firefox. I suspect maybe firefox handels localhost differently. Anyhow I implemented the OAuthStorage class like this and provided it in my core module.
EDIT: I managed to get it to work using https://github.com/manfredsteyer/angular-oauth2-oidc/issues/728#issuecomment-590909947. This should still be fixed or documented somewhere that it is necessary.
Just created a fresh project using angular CLI and followed the minimal example and getting this error. The local storage is empty (no state stored). So this is definitely a bug. Currently I am testing on localhost.
The
nonce
is not mandatory in OIDC and definitely not in RFC 6749. Not sure about the current security BCP draft right now. Anyway. Still a bug no matter how the plugin handles and interprets thestate
parameter. But basically it currently enforces the use of a nonce which is piggybacked in the state leading to the error due to the bug.