Check session fails if sts server has a different origin than the check_session_iframe #933
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Describe the bug
When the OICD provider configuration of the sts server contains a different origin for the check_session_iframe property the checkSession will fail with the following error:
To Reproduce
Steps to reproduce the behaviour:
Expected behavior
checkSession should use the origin of the sessionCheckIFrameUrl to communicate using postMessage.
Config
Workaround and additional issue
I found a workaround for this issue by just setting the stsServer to "https://auth.org" what also servers the same provider configuration document as the "https://issuer.org", but this leads me to another issue I discovered.
According to the OpenID Connect Discovery specification the issuer must be used to retrieve the configuration and the issuer returned in the configuration must be the same as the one used to retrieve the configuration.
Currently that is not the case. The stsServer or authWellknownEndpoint configuration property is used to retrieve the provider configuration. Afterwards the issuer returned from that configuration is used to validate the token issuer.
I would expect that the issuer entry from the provider configuration is validated against the stsServer.