Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Validating access_token failed. wrong state/nonce in Internet Explorer only.

See original GitHub issue

Hi everyone,

I’m getting this error in Internet Explorer 11. validating access_token failed. wrong state/nonce.

The scenario is the following: I have setup like below:

    this.oauthService.tryLogin().then(() => {
      if (!this.oauthService.hasValidIdToken() || !this.oauthService.hasValidAccessToken()) {
        console.log('startSigninMainWindow URL', window.location.href)
        this.oauthService.initImplicitFlow(window.location.href);
      }
    });

When I’m not logged in and try to go to http://localhost:4200/somecrazyroute?abc=123. It checks that I’m not logged in, send me to the IdP with “http://localhost:4200/somecrazyroute?abc=123” in the state. After logon, it correctly send me back to http://localhost:4200/somecrazyroute?abc=123. Except in Internet Explorer 11!

I know the problem is when I have query parameters like ?abc=123. If I remove it, it works.

Issue Analytics

State:
Created 5 years ago
Comments:11

Top GitHub Comments

5reactions

JohannesHoppecommented, Oct 23, 2018

I’ll answer my question myself, maybe it’ll help someone.

This is all related to the fact, that all content of the storage gets lost.

nonce is set here: https://github.com/manfredsteyer/angular-oauth2-oidc/blob/3e4b70525738eb44f67793dfad5e0459446c5528/projects/lib/src/oauth-service.ts#L1775
nonce is mystically gone here: https://github.com/manfredsteyer/angular-oauth2-oidc/blob/3e4b70525738eb44f67793dfad5e0459446c5528/projects/lib/src/oauth-service.ts#L1405
WTF?

With IE11 (v11.1324.15063.0 © 2015) on Windows 10 it’s enough to change the the OAuthStorage to localStorage - as seen here https://github.com/manfredsteyer/angular-oauth2-oidc/issues/255#issuecomment-384210345
With IE11 (v11.0.9600.19155 © 2013) on Windows 7 this didn’t helped. I had to completely deactivate the check against the nonce:

this.oauthService.loadDiscoveryDocumentAndLogin({
  disableOAuth2StateCheck: true
})

This workaround is far from perfect, but now the access token is always available.

@ppozeti This issue is not solved, could you open it again?

2reactions

JohannesHoppecommented, Dec 14, 2018

Hello everybody, we tracked the issue down to this bug in Internet Explorer: https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/110656/ The bug was fixed in later versions of IE11.

Solutions:

Update that IE 11 to the latest version of Internet Explorer 11! If necessary, escalate that critical issue to your big boss and tell him that your infrastructure team is doing a unbelievable bad job by letting you use rotten software
if that doesn’t help 😉:
- put your angular app and also your issuer to THE SAME zone. The bug happens because you change zones during the redirect which lets IE forget everything (until reload). It is possible to change the zone of websites via a Group Policy!

see this:

FYI @manfredsteyer

Top Results From Across the Web

Access Token validating fails with JWTSecurityTokenHandler

I try to validate an access token, which I get from Azure. ... The only way around this was to deactivate the signature...

OAuthService - angular-oauth2-oidc

After receiving the access_token, this method uses it to query the userinfo endpoint in order to get information about the user in question....

OpenID Connect & OAuth 2.0 API - Okta Developer

The provided access token is invalid. server_error, The server encountered an internal error. temporarily_unavailable, The server is temporarily unavailable, ...

Azure ad access token validation in web api fails on only one ...

All three servers are in the same intranet. I have no idea what is the reason for this error only on the prod...

Validate Access Tokens - Auth0

An access token is meant for an API and should be validated only by the API for which it ... If any of...