angular-auth-oidc-client: id_token nonce validation fails randomly in 12.0.0

Describe the bug As there were some issues with the validation of id tokens already here, I think the behaviour is known. I’am using this library at v12.0.0 and Angular 12.1.1. Sometimes, the nonce validation fails as the values don’t match. I think probably some kind of regression happened here when going from 11.x to 12.0.0. I’ve logged all tokens on backend-side to check if it’s the error of our oidc implementation but that’s not the case as tokens with the correct nonce are issued. Following scenario happens:

  • Library asks for a token, get’s one back
  • Immediately does subsequent requests but validates the first token and fails with an error stating that the nonce is invalid.
  • The behaviour is exactly the same as on old issues but after 3-10 requests it works and the user is signed in.
  • I’ve already increased the maxIdTokenIatOffsetAllowedInSeconds to 600.

To Reproduce Steps to reproduce the behavior: Use https://github.com/damienbod/angular-auth-oidc-client/tree/main/projects/sample-code-flow-auto-login-all-routes with Angular 12 and v12.0.0 of this library.

Expected behavior A clear and concise description of what you expected to happen.

Screenshots Screenshot 2021-07-06 at 12 16 11 AM

Desktop (please complete the following information):

  • OS: Mac OS 11.2.3
  • Browser: Tested with Safari & Chrome

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (2 by maintainers)

Most upvoted comments

@damienbod it is indeed a race condition.

My default route redirected to a route with an AutoLoginPartialRoutesGuard on it. A successful login depended on what was first the checkAuth that was being called, the one in my AppComponent or the one in the Guard.

I changed my code to use the AutoLoginAllRoutesGuard, because all routes are protected in my case and I could not simulate the issue anymore.

It’s just an idea, but logging an error if CheckAuth is called a second time could have helped in finding the issue. Or maybe just some logging that the Guard is triggering the CheckAuth instead of the one in the AppComponent so you can spot the difference a bit better in the console.

+1
jochenjonc on Jul 20, 2021

@damienbod I also cannot find my second call to checkAuth.

What I see is the following difference between an unsuccessful and a successful login. Just before where my screenshots start an AuthResult was found in both cases.

Unsuccessful: image

Successfull: image

As you can see when it fails, it seems that it doesn’t detect auth data. And because of that, a new nonce is created.

+1
jochenjonc on Jul 19, 2021

@damienbod this can be the issue definitely, but (for my example) I don’t call checkAuth explicit as I’am only using the guard which is shipped with the library 🤔

+1
maxgr0 on Jul 19, 2021
Read more comments on GitHub
← angular-auth-oidc-client: checkAuthIncludingServer cannot complete without credentials
angular-auth-oidc-client: Not displaying LogoutURI instead going to the default page →