"validating access_token failed. wrong state/nonce." when performing silentRefresh manually

[gustavshf]

Angular version: 5.2.7
angular-oauth2-oidc version: 3.1

I have the following setup:

oauthConfig.clientId = authConfig.clientId;
                oauthConfig.redirectUri = this.checkURL(authConfig.redirectUri);
                oauthConfig.scope = authConfig.scope;
                oauthConfig.oidc = true;
                oauthConfig.issuer = this.checkURL(authConfig.issuer);
                oauthConfig.requireHttps = authConfig.requireHttps;
                oauthConfig.silentRefreshRedirectUri = this.checkURL(authConfig.redirectUri + /silent-refresh.html');
                this.oauthService.configure(oauthConfig);
                this.oauthService.setupAutomaticSilentRefresh();

When performing a silent refresh, I need to get the new access token and pass it to other parts of the application. This is how I attempt to get the token:

 this.oauthService.events.subscribe(({ type }) => {
        switch (type) {
          case 'token_refreshed':{
             //This event doesn't get detected when the automatic silent refresh happens
            break;
          }
          case 'silently_refreshed':{
              //This event doesn't get detected when the automatic silent refresh happens
              break;
          }
          case 'token_expires':{
                              this.oauthService.silentRefresh().then(()=>{
                                       //Here I want to pass the new token to the other parts of the app
                              }).catch((err)=>{ return; });
                              break;
          }
        }
      });

When I manually do the silent refresh, I get an error that says "validating access_token failed. wrong state/nonce.".

I have auto-silent refresh set up as well, however the events are not triggered when the silent refresh happens, so I can't pass the token to the other parts of the application there either.

The silent refresh request always returns 302 error.

Am I doing something wrong?

I'm using initImplicitFlow() BTW.

[manfredsteyer]

302 should be fine. It's just the redirect back to your SPA.

This issue occours most of the time due to a race conditions. Is it possible that "at the same time" another part of the software is calling silentRefresh or initImplicitFlow?

In this case, the following sequence would happen:

• silentRefresh creates a nonce (let's call it nonce1) and requests redirect
• other silentRefresh/ initImplicitFlow overrides (let's call it nonce2)
• token comes back with original nonce (nonce1)
• lib detects that nonce1 !== nonce2 --> error

[gustavshf]

@manfredsteyer
Thank you for the response!

Just double checked the application - there is no way that any other part of the application is calling silent refresh or init implicit flow. Are there any other possible reasons?

Another weird thing is that if I have automatic silent refresh set up, this.oauthService.events.subscribe only detects 'token-expires' event and does not detect the 'silently_refreshed' event.

[manfredsteyer]

can you reproduce this using a simple example?

[gustavshf]

Never mind, turns out I was using wrong redirectUri in the config. This issue can be closed.

[jeroenheijmans]

@gustavshf Good to hear you found the root cause. I think you can close the issue yourself, should be a button next to the green "Comment" button at the bottom of the page.