Error when handling callback

[christiansyoung]

I am trying out the lib and based my code on the redux-oidc-example app with Google auth.

I get the following error when returning to the callback:

redux-oidc.js:1Uncaught (in promise) Error: Error handling redirect callback: signature validation failed

I was also wondering how I could turn on logging on the oidc-client lib to further investigate? I tried doing ìmport Oidc from 'oidc-client'; Oidc.Log.logger = console;` both in my Root React component and in my express server, but nothing shows.

[maxmantz]

Make sure you are using https instead of http when making the request. When you're using the HTTP version (http://redux-oidc-example.herokuapp.com/) it won't work but with SSL it works.

I haven't yet tried logging in oidc-client. I'll have a look and see what I can come up with. I'll post what I can find here.

[christiansyoung]

I see, is it Google that enforces the request to come from HTTPS? So I need to use HTTPS in my Express server when developing as well?

[maxmantz]

Yes. Google requires a callback URI with SSL enabled.

[christiansyoung]

Made Express use https now, but I get the same error :(

Here is what I do when logged out of Google in incognito with empty localStorage:

• Trigger login
• Get redirected to Google's concent screen -> Allow
• Get redirected to this (jwt obscured) https://localhost:8000/callback#state=862de4e1f9c24a7d9917653604f3d650&access_token=ya29.Ci8mA082OaSl1NaJOFFeLz<SNIP>OPWMUEdXayiGm0J3H8X--Ztdym60SBFA03KoA&token_type=Bearer&expires_in=3600&id_token=<SNIP>&authuser=0&session_state=d5350fbc4fdd649aef77caf4b16dcee33385e28e..edc9&prompt=consent
• CallbackComponent triggers
• CallbackComponent fails with the following again:
  redux-oidc.js:1 Uncaught (in promise) Error: Error handling redirect callback: signature validation failed

This time I also got:
Failed to clear temp storage: It was determined that certain files are unsafe for access within a Web application, or that too many calls are being made on file resources. SecurityError

Thank you for helping out!

[maxmantz]

I've just tried this with the example app but couldn't reproduce the issue. Have you tried clearing the cache and refreshing (Shift + F5)? From what I've researched this could be the reason for the second error message you've received.

[maxmantz]

I can also see that your localhost port (8000) is not matching the example app's port (8080). If you're using my client_id this won't work because it requires https://localhost:8080 as the base URL. But I guess you're using your own client_id registered with Google...

[christiansyoung]

I am using my own client_id from a OAuth 2.0 client ID. I tried creating a new app, but that didn't help. Maybe if I could figure out how to log oidc-client, I could read the raw exception from https://github.com/IdentityModel/oidc-client-js/blob/178d19f279bfeb39915db9fc443623605130da33/src/JoseUtil.js#L111 (if that is the code that triggers it).

I tried a hard clear of cache, hard refresh and using incognito mode. Doesn't work. I can try changing to port 8080 and using your client_id to eliminate that problem.

[christiansyoung]

Changing to your client_idyields the same error.

[maxmantz]

If you're using Google you will have to use your client_id otherwise Google would mistake your app for my example app. It is hard to pinpoint the exact reason why the JWT validation fails. Maybe @brockallen can help with this?

[christiansyoung]

I disabled all my security like CORS/CSP, headers etc., and I got through. I will try to figure out exactly what triggered it.

Btw: In your wikipage https://github.com/maxmantz/redux-oidc/wiki/2.-Configuration, you give the following example of a successCallback. I used this initially, but the user.state object is undefined for me. I only use react-router, so I changed it to router.push('/'); (from this.context.router)

successCallback = (user) => {
    // the user object gets the browser's URL before 
    // redirection was triggered passed into its state
    const urlBeforeRedirection = user.state.redirectUrl;
    this.props.dispatch(push(urlBeforeRedirection));
  };

[maxmantz]

This is an error in the wiki. Thank you for pointing this out. The redirectUri will only get passed if you're using the automatic redirection with the middleware. If not, in your custom behavior, you will have to pass in the current URL yourself by doing this:

userManager.siginRedirect({ 
  data: {
    redirectUrl: window.location.href
  }
});

Then you can access the redirectUrl in the CallbackComponent.
Will update the wiki ASAP.

[christiansyoung]

Thanks, that worked.
It was not my security that triggered the signature error, it was me trying to log oidc-client. When commenting out security related code, I also commented out the logging code without thinking about it.

[maxmantz]

Glad I could help.