angular-oauth2-oidc: checkSession fails when issuer has a different origin as the check_session_iframe

Describe the bug When the discovery document contains a different origin for the issuer as for the check_session_iframe properties the checkSession will fail with the following error: Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://issuer.org') does not match the recipient window's origin ('https://ui-endpoint.org').

To Reproduce Steps to reproduce the behavior:

  1. Login using an IdentityServer that provides a different issuer URL as the check_session_iframe
  2. Wait for the checkSession to be invoked
  3. See the error in the console

Expected behavior checkSession uses sessionCheckIFrameUrl if it is provided. Maybe it could/should use the issuer as a fallback but I’m not sure of that.

Config

const authCodeFlowConfig: AuthConfig = {
	issuer: 'https://issuer.org',
	redirectUri: window.location.origin,
	postLogoutRedirectUri: window.location.origin,
	silentRefreshRedirectUri: window.location.origin + '/silent-refresh.html',
	sessionChecksEnabled: true,
	clientId: 'content_factory',
	responseType: 'code',
	scope: 'openid',
	showDebugInformation: true,
	useSilentRefresh: true,
	strictDiscoveryDocumentValidation: false
};

this.oauthService.events.subscribe(event => {
	if (event instanceof OAuthErrorEvent) {
		console.error(event);
	} else {
		console.warn(event);
	}
});

this.oauthService.setStorage(localStorage);
this.oauthService.configure(authCodeFlowConfig);
this.oauthService.setupAutomaticSilentRefresh();

await this.oauthService.loadDiscoveryDocumentAndTryLogin();

this.isDoneLoadingSubject$.next(true);

{
	"issuer": "https://issuer.org",
	"jwks_uri": "https://issuer.org/.well-known/openid-configuration/jwks",
	"authorization_endpoint": "https://ui-endpoint.org/connect/authorize",
	"token_endpoint": "https://ui-endpoint.org/connect/token",
	"userinfo_endpoint": "https://ui-endpoint.org/connect/userinfo",
	"end_session_endpoint": "https://ui-endpoint.org/connect/endsession",
	"check_session_iframe": "https://ui-endpoint.org/connect/checksession",
	"revocation_endpoint": "https://ui-endpoint.org/connect/revocation",
	"introspection_endpoint": "https://ui-endpoint.org/connect/introspect",
	"frontchannel_logout_supported": true,
	"frontchannel_logout_session_supported": true,
	"backchannel_logout_supported": true,
	"backchannel_logout_session_supported": true,
	"scopes_supported": [
		"openid",
		"profile",
		"offline_access"
	],
	"claims_supported": [
		"sub"
	],
	"grant_types_supported": [
		"authorization_code",
	],
	"response_types_supported": [
		"code",
		"token",
		"id_token",
		"id_token token",
		"code id_token",
		"code token",
		"code id_token token"
	],
	"response_modes_supported": [
		"form_post",
		"query",
		"fragment"
	],
	"token_endpoint_auth_methods_supported": [
		"client_secret_basic",
		"client_secret_post"
	],
	"subject_types_supported": [
		"public"
	],
	"id_token_signing_alg_values_supported": [
		"RS256"
	],
	"code_challenge_methods_supported": [
		"plain",
		"S256"
	],
	"request_parameter_supported": true
}

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 3
  • Comments: 19

Commits related to this issue

Most upvoted comments

As a temporary (hopefully) workaround I can override the prototype’s checkSession method.

const originalCheckSession = () => OAuthService.prototype.checkSession;
OAuthService.prototype.checkSession = function () {

	const originalIssuer = this.issuer;
	const sessionCheckIFrameOrigin = new URL(this.sessionCheckIFrameUrl || this.issuer).origin;

	this.issuer = sessionCheckIFrameOrigin;

	originalCheckSession();

	this.issuer = originalIssuer;
};
+2
MartijnKooij on Jul 9, 2020
Read more comments on GitHub
← angular-oauth2-oidc: AutoSilentRefresh doesn't work after refresh the page
angular-oauth2-oidc: Clock skew is in wrong direction →