Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check session fails if sts server has a different origin than the check_session_iframe #933

Merged
merged 2 commits into from
Jan 10, 2021
Merged

Check session fails if sts server has a different origin than the check_session_iframe #933

merged 2 commits into from
Jan 10, 2021

Conversation

Zortaniac
Copy link
Contributor

Describe the bug
When the OICD provider configuration of the sts server contains a different origin for the check_session_iframe property the checkSession will fail with the following error:

Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://issuer.org') does not match the recipient window's origin ('https://auth.org').

To Reproduce
Steps to reproduce the behaviour:

  1. Use issuer as stsServer in config to resolve well-known configuration
  2. Login using an IdentityServer that provides a different issuer URL as the check_session_iframe
  3. Wait for the checkSession to be invoked
  4. See the error in the console

Expected behavior
checkSession should use the origin of the sessionCheckIFrameUrl to communicate using postMessage.

Config

oidcConfigService.withConfig({
	stsServer: "https://issuer.org",
	redirectUrl: window.location.origin,
	postLogoutRedirectUri: window.location.origin,
	triggerAuthorizationResultEvent: true,
	clientId: clientId,
	scope: scope,
	responseType: 'code',
	startCheckSession: true,
	renewUserInfoAfterTokenRenew: true
});

{
	"issuer": "https://issuer.org",
	"jwks_uri": "https://issuer.org/.well-known/openid-configuration/jwks",
	"authorization_endpoint": "https://auth.org/connect/authorize",
	"token_endpoint": "https://auth.org/connect/token",
	"userinfo_endpoint": "https://auth.org/connect/userinfo",
	"end_session_endpoint": "https://auth.org/connect/endsession",
	"check_session_iframe": "https://auth.org/connect/checksession",
    	...
}

Workaround and additional issue
I found a workaround for this issue by just setting the stsServer to "https://auth.org" what also servers the same provider configuration document as the "https://issuer.org", but this leads me to another issue I discovered.

According to the OpenID Connect Discovery specification the issuer must be used to retrieve the configuration and the issuer returned in the configuration must be the same as the one used to retrieve the configuration.

Currently that is not the case. The stsServer or authWellknownEndpoint configuration property is used to retrieve the provider configuration. Afterwards the issuer returned from that configuration is used to validate the token issuer.

I would expect that the issuer entry from the provider configuration is validated against the stsServer.

@damienbod
Copy link
Owner

damienbod commented Jan 8, 2021
edited

@Zortaniac thanks!

LGTM

@FabianGosebrink ?

will test today and merge.

@damienbod damienbod merged commit 765d549 into damienbod:main Jan 10, 2021
@damienbod
Copy link
Owner

thanks for the PR! @Zortaniac This will be released in version 11.4.1

@Zortaniac
Copy link
Contributor Author

@damienbod thanks for the fast processing of the PR!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FabianGosebrink FabianGosebrink FabianGosebrink approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Zortaniac @damienbod @FabianGosebrink