-
Notifications
You must be signed in to change notification settings - Fork 149
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Skip Discovery Phase and Define Identity Endpoints #763
Comments
I @slaterx thank you for your issue. Implicit is not supported by choice of enforcing security first. |
Thank you for your quick reply, that was fast! Yeah, we are kinda in a hurry, so that would be appreciated. If you need a hand, just let me know how I can help you, happy to assist in a PR to get this feature done! Reading your source, it seems that the easiest way is to add an openid AuthorizationServiceConfigurationJson prop to OidcConfiguration then add some conditionals on initAsync, is that right? |
Yeah exactly a condition in initAsync to always return the predefined configuration. I can make a pullrequest and a beta version for you in few hours. |
If you want you can try to make a pullrequest your self. |
I'll try my luck, let's see where it takes me 😁 |
@guillaume-chervet this was the closest I could get, I got stuck here: Hopefully this is a good start and I just missed a comma somewhere 😅 |
oO |
We have similar issue as mentioned here, wondering are we going to fix this issue soon? |
Hi @khyapate , thank you for the information. I will fixed it as soon as i can. I hope i can fixe it before the end of the next monday 😀 |
Thank you so much @guillaume-chervet for your quick response. Yes, it resolved my use case. thanks ! |
Hi @guillaume-chervet, thank you for taking over my PR and delivering it! Unfortunately, I did not have time to look at it again and try to get it fixed. So, testing your release, I do not get the CORS issue any longer, but now service worker won't load and I get the following error:
I tried to run the local development without HTTPS (thinking it could be because of the lack of certificates), but that way, I get an error about hook calls:
Does this mean we have now a minimum supported version of react/react-dom to use? Thanks, |
Hi @slaterx , are you using react dom? If no what is your use case? |
@guillaume-chervet yes, we are using react-dom:
And we are also using react-router-dom:
|
I think i understood. It may work |
Updating the name made the hook issues go away, but the app is now stuck on loading: I believe that there's something in the oidc code which puts the page into a wait mode (loading) while we do the discovery (now disabled because we have the auth endpoints). But I can't pinpoint myself where in the code that is - would that piece of code in the screenshot show up to you where that loading step might be? We will need to also add the conditional there, to move along since we won't make the discovery call when the endpoints are defined already. |
Thank you for the information. I pretty think it is a bug. i'am trying to reproduce it. |
@guillaume-chervet I'm also stuck with 'Loading' as mentioned above. |
Does the 5.7.3-alpha0 version help you ? I set react as peerDependencies (as it have to be) |
@guillaume-chervet it did not, the behaviour remains the same. I create a repo for you to reproduce the issue: https://github.com/slaterx/react-oidc-issue Upon yarn start, you will see that the page is stuck on loading. |
Thank you it will help a lot. I check it out in few hours as soon as i am in front of a computer ^^ |
This is due to the issue reported here: facebook/create-react-app#12279 (comment) But running installation with yarn is a valid workaround 👍 You can also run |
Hi @slaterx , I found it! replace It will work :) I have to add better message error for that case and in witOidcSecure, i found that configurationName and extras parameters are missing. |
Hi @guillaume-chervet, the issue persists after your proposed fix: A good way to confirm the issue is by starting the local development server with HTTPS=true. This way, there's an SSL error on the browser and the worker code is not loaded. That way, the page loads without the OIDC code (which, obviously, means that all secure pages throw the default error - "Error authentication\nAn error occurred during authentication"): Another relevant point is that this time I can't see anymore the service workers loaded (both on HTTP and HTTPS). I am running latest release (5.7.5), but when I was running the alpha version I could see the service workers being loaded. We are a bit under pressure to move along with this implementation on our project, so if you could please help us pin point this bug it would be mostly appreciated! 😁 |
I will send you a pull request on your demo as soon as i restarts my computer. You have a also dependencies problem. |
I send your a pull request slaterx/react-oidc-issue#1 |
Thanks for the hard work @guillaume-chervet and huge help, it's working with your changes! I think that the takeaway here is that I'll have a URI context on my main SPA, (i.e. it won't be For the authentication stuff, the PR we did got the discovery phase done, but during the token validation after callback another CORS call is made and I get stuck where I was. Just to double confirm, assuming we are past the discovery phase, we cannot use the token received from /callback call straight away? We still need to call again the token endpoint to request the token one more time? |
I @slaterx , your oidc server should authorise cors request. I think you have to look at the configuration on oidc server or contact guys that are in charge of it. |
We were hoping to use this library to implement OIDC without hosting a backend, but with the CORS limitation, we expected to be able to complete the authentication without the discovery phase, however the token retrieval also implies CORS. Unfortunately, for security reasons, the auth provider is only providing implicit and authorization code without CORS. The only thing we can do is add the allowed redirect URIs, to make sure the provider will accept our authentication requests. We are able to authenticate and receive the callback with a valid code, but validating that code requires CORS again. Thank you very much for your help, we will try to implement something that retrieves the token with a code and reply it with appropriate cookies to fulfil both auth provider and browser security. You can close the incident. |
Thank you @slaterx , It will not fit with the security of your company, but technicaly you can proxify oidc http request from within your api. I close the pull request. Thank you! |
Issue and Steps to Reproduce
Hi team,
Great job creating this lib, it's really cool and makes it very easy to implement secure SPAs.
I have a quite hard requirement on my hand and I am seeking clarifications about the best way to implement it. I have an implementation of OIDC to make but the identity server cannot and will not add our domain to CORS. How can we skip the discovery phase and give the actual endpoints that should be called? This identity server supports authorization code and implicit, but I read here (#751) that implicit is not supported.
Hence the question, how can I skip discovery and define the Authorization, Token, UserInfo and other endpoints to avoid the CORS issue?
Versions
v5.4.2
Screenshots
Expected
Actual
Only authority variable is documented.
Additional Details
"react": "^17.0.2",
"react-csv": "^2.2.2",
"react-dom": "^17.0.2",
The text was updated successfully, but these errors were encountered: