Invalid Redirect URI on version 11

[cvbc2010]

Describe the bug
IdentityServer4.Validation.TokenRequestValidator: Error: Invalid redirect_uri{ redirectUri = https://localhost:44308/silent-renew.html, expectedRedirectUri = https://localhost:44308 }

To Reproduce

const setupAction$ = httpClient.get<any>(`/api/ClientAppSettings`).pipe(
        map((customConfig) => {
            return {
                stsServer: customConfig.stsServer,
                redirectUrl: window.location.origin,
                postLogoutRedirectUri: window.location.origin,
                clientId: customConfig.client_id,
                responseType: customConfig.response_type,
                scope: sessionStorage.getItem('LoginScopes') ? sessionStorage.getItem('LoginScopes') : customConfig.scope,
                startCheckSession: customConfig.start_checksession,
                silentRenew: customConfig.silent_renew,
                silentRenewUrl: customConfig.redirect_url + '/silent-renew.html',
                postLoginRoute: customConfig.startup_route,
                forbiddenRoute: customConfig.forbidden_route,
                unauthorizedRoute: customConfig.unauthorized_route,
                logLevel: environment.production ? LogLevel.Warn : LogLevel.Warn, // LogLevel.Debug,
                maxIdTokenIatOffsetAllowedInSeconds: customConfig.max_id_token_iat_offset_allowed_in_seconds,
                historyCleanupOff: true,
                // autoUserinfo: false,
            };
        }),
        switchMap((config) => oidcConfigService.withConfig(config))
    );

Expected behavior
should get access token with authorization code and it should pass correct redirect uri with in the request.

I have gone through
#534 (it says it is not the correct way to implement changing redirect_uri)
and
#566

and couldn't understand what i am suppose to do for fixing the issue

Screenshots

[philippesc]

Same issue on this one. Any reason why this was labeled as question?

[cvbc2010]

@damienbod can you check this bug. Or could we switch back to v10 for now?

[damienbod]

Hi @cvbc2010 @philippescher Have you added the silent renew URL to the STS? I added the question because reading the error message, it says that the STS server does not support the URL used for the silent renew. Could you validate that your server supports both the silent renew URL and the authorize URL? you should have 2 URLs supported which match exactly.

Greetings Damien

[sekoch]

I receive this error when I protect the root route. In my auth guard I check via isAuthenticated$ and redirect to unauthorized, which initiate an auto login. I can also implement the auto login in the auth guard (just router navigate to autologin). In the app component.ts I have implemented the checkAuthIncludeServer(), so it's a race condition.

The Guard is executed first -> redirect to unauth -> auto login (authorize()), the checkAuthIncludeServer in the app.component.ts checks via silent renew... So the redirect url does not match with the code and the identity server sends 400 bad request.

2 requests were made:

https://identity.xy.de/connect/authorize?client_id=webapp&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fassets%2Fsilent-renew.html&response_type=code...
https://identity.xy.de/connect/authorize?client_id=webapp&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fcallback&response_type=code...

If I implement checkAuthIncludeServer() in the guard and remove it from app.component.ts, it seems to be working if I am logged in at the identity server. If I am not logged in, the observable does not complete. That's the issue #779

[damienbod]

@sekoch closing this as it had an invalid redirectURL or the issue in 779 which is now fixed in version 11.1.4. The default route should not be protected with a guard.