-
Notifications
You must be signed in to change notification settings - Fork 678
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Event 'discovery_document_loaded' is triggered twice, possibly causing nonce validation to fail #1199
Comments
Removed from problem description:
Method While the documentation seems to imply that |
With "the documentation" you mean above-linked README, right? I think it might technically suggest that it's an "either / or" choice, but the way it says so might not be immediately obvious especially to non-native speakers:
The "there is also" part implies that it's an alternative. It might be good to clarify that point? |
It's pretty clear (to me, at least) that
...which (to me, at least) implies: "after you have initialized the code flow, you'll need to configure the OAuth2 client code and load the discovery document". That's what got me. Minor note: it may be worth it to remove that "-- as shown in the readme --" fragment, since we are in the README file. Minor suggestion: it may be worth it to combine configuration and initialization in a single method, something like
|
will be fixed in next version. |
To reproduce
The issue can be verified very simply by editing the sample app in this repo, adding a couple of lines at the beginning of
AppComponent.constructor()
to log the eventand adding a call to
oauthService.initCodeFlow()
toAppComponent.configureCodeFlow()
:The net effect is, the user cannot login and is redirected to the login page over and over.
Analysis
In oauth-service.ts the
discovery_document_loaded
event gets published twice, once byloadJwks()
, and then again by its caller,loadDiscoveryDocument()
.This is probably inefficient but harmless, unless you call
initCodeFlow()
before invokingloadDiscoveryDocumentAndTryLogin()
, as suggested in the "Logging in" section of the README.md file.The code flow init method (see lines 2706-2708 in oauth-service.ts) subscribes to the
discovery_document_loaded
event, invokinginitCodeFlowInternal()
when upon reception.The nonce is created in the course of the execution of this last method.
If the event is thrown twice:
I suggest that the
discovery_document_loaded
event gets published only once.The text was updated successfully, but these errors were encountered: