Don't hardcode `useHash` when completing authorization requests
See original GitHub issueExpected Behavior
[REQUIRED] Describe expected behavior
When being redirected from the issuer to an app url like http://localhost:8080/auth/callback?state=…&code=…
I called completeAuthorizationRequestIfPossible
on my RedirectRequestHandler
with a configured notifier. I expected to get a notification since the response parameters are present in the current location.
Describe the problem
[REQUIRED] Actual Behavior
I did not get notified of a response and instead only found the following log messages:
Checking to see if there is an authorization response to be delivered.
Potential authorization request http://localhost:8080/auth/callback { } undefined undefined
Mismatched request (state and request_uri) dont match.
No result is available yet.
[REQUIRED] Steps to reproduce the behavior
I have created a gist with the auth code I currently use.
In my app I do the following:
1.) User visits /auth/login
which triggers auth.doAuthorization("http://localhost:8080/auth/callback")
2.) User visits OpenId issuer and logs in
3.) User gets redirected to /auth/callback
which triggers auth.doAuthorizationCallback
Discovered Workaround
While reading the existing code I dicsovered that the RedirectRequestHandler
always passes useHash=true
to its QueryStringUtils
therefore ignoring all get parameters of the current location:
https://github.com/openid/AppAuth-JS/blob/cf6bb68dfe630c5d5f415bdcc76ea2581f041d8f/src/redirect_based_handler.ts#L100
By knowing this I was able to construct my RedirectRequestHandler
in the following way. I do not like to do this and would wish for this library to either automatically discover whether useHash
should be true or let me pass it in as a parameter.
new RedirectRequestHandler(new LocalStorageBackend(), new BasicQueryStringUtils(), { ...window.location, hash: window.location.search })
[REQUIRED] Environment
- AppAuth-JS version: 1.3.0
- AppAuth-JS Environment (Node, Browser (UserAgent), …): Browser (Firefox 86)
- Source code snippts (inline or JSBin)
Issue Analytics
- State:
- Created 3 years ago
- Reactions:1
- Comments:6
Top GitHub Comments
I’ve just digged a bit and found that the OpenId Connect spec defines the
response_mode
parameter of which keycloak seems to supportquery
,fragment
andform_post
. Seeresponse_modes_supported
in your OpenId configuration (here is mine). The spec also shows an example here.I haven’t tested this yet but from what I can see this seems to be the way to tell Keycloak.
Ahh I understand, thanks for clarifying!
I would still like to configure it somehow or at least have some sort of documentation around it (because I was really confused at first) but understand that you closed the issue.