[Bug]: Autologin Overrides Initial Authorization

[mborzsony]

Version

^18.0.1

Please provide a link to a minimal reproduction of the bug

NA

Please provide the exception or error you saw

NA

Steps to reproduce the behavior

NA

A clear and concise description of what you expected to happen.

We have a usecase where a inital request for a user registration contains a login_hint. 
On initialization the application does a checkAuth and validates the login_hint is present in the request and proceeds with a authorize request. 
The AutoLoginPartialRoutesGuard overides the Inital Request.

Additional context

app.component.ts:

  ngOnInit() {
    this.authService.checkAuth().subscribe(({ isAuthenticated}) => {
      if(!isAuthenticated){
        this.login();
      }else{
        this.loading = false;
      }
    });
  }

  login(){
    let url: URL =  new URL(window.location.href);
    let hint = url.searchParams.get('login_hint')?.toString();
    if(!!hint){
      this.authService.authorize('',{ customParams: { login_hint: `${hint}` }});
    }else{
      this.authService.authorize()
    }
  }

app.routes.ts:

export const routes: Routes = [
  { path: '', redirectTo: 'dashboards', pathMatch: 'full' },
  { path: 'callback', component: CallbackComponent },
  {
    path: 'dashboards',
    loadChildren: () =>
      import('../app/si-modules/si-dashboards/si-dashboards.module').then(
        (module) => module.SiDashboardsModule
      ),
    data: { breadcrumb: 'Dashboards' },
    canActivate: [AutoLoginPartialRoutesGuard],
  },

Configuration:

export const httpLoaderFactory = (httpClient: HttpClient) => {
    
    const config$ = TenantSettings(httpClient).pipe(
        map((response: any) => {
            return {
                postLoginRoute: '/dashboards',
                authority: response.authority,
                redirectUrl: `${window.location.origin}/callback`,
                postLogoutRedirectUri: window.location.origin,
                clientId: response.clientId,
                scope: response.scope,
                responseType: response.responseType,
                silentRenew: response.silentRenew, //true
                useRefreshToken: response.useRefreshToken, //true
                logLevel: LogLevel.Debug,
                triggerRefreshWhenIdTokenExpired: true,
                ignoreNonceAfterRefresh: true,
            };
        })
    );

    return new StsConfigHttpLoader(config$);
};

[mborzsony]

Here is the network behavior:

[HerrDerb]

Easy to reproduce:

• start with sample-code-flow-auto-login-all-routes.
• Have a redirectUrl to a AutoLoginPartialRoutesGuard protected route
• Instead of sync config providing, change config to loader and add a delay.
• This results in a endless authorization loop. (open console can already delay enough to brake the loop)

@mborzsony Did you find a workaround? This is an enabler criteria for us 😬
@FabianGosebrink did you find time already to have a look into that issue?

[FabianGosebrink]

Keep in mind that it takes a little time after the login to exchange the code to a token. The checkauth() is doing that for you, but you have to make sure it can do its work and THEN you call the protected route. This is why I like to work with a simple callback component which is publically available and not secured.

[HerrDerb]

@FabianGosebrink thanks for the quick and clarifying reply 🙂👍 Indeed it does work like that, although it has the feel of boiler plate as this has to be applied for each project.
Maybe this would be worth it for a little section in the documentation?

[FabianGosebrink]

Sure thing. You can take a look here as an example. Well, this is how I like to do it :-) I think we got that written down somewhere...if not, we should add this definitely.

[HerrDerb]

It kind of is written down with the sample-code-flow-auto-login-all-routes but it could not find any mention of why the unprotected callback route is necessary (timeout)

[HerrDerb]

Actually an easy way to avoid the callback route when only protected routes are configured is to add an app init provider

    provideAppInitializer(() =>{
      const  oss = inject(OidcSecurityService);
      return firstValueFrom(oss .checkAuth());
    }),

@mborzsony FYI

[FabianGosebrink]

It kind of is written down with the sample-code-flow-auto-login-all-routes but it could not find any mention of why the unprotected callback route is necessary (timeout)

It is basically only needed, when you have all other routes protected. There just has to be some public place where the lib can do its work.