Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change: deprecate options.url, enforce options.issuer #316

Merged
merged 1 commit into from
Jan 22, 2020
Merged

change: deprecate options.url, enforce options.issuer #316

merged 1 commit into from
Jan 22, 2020

Conversation

aarongranick-okta
Copy link
Contributor

  • issuer is now a required option
  • option 'url' is deprecated and no longer used

swiftone
swiftone reviewed Jan 22, 2020
View reviewed changes
packages/okta-auth-js/lib/token.js
@@ -122,7 +122,7 @@ function addPostMessageListener(sdk, timeout, state) {
// This may happen if apps with different issuers are running on the same host url
// If they share the same storage key, they may read and write tokens in the same location.
// Common when developing against http://localhost
if (e.origin !== sdk.options.url) {
if (e.origin !== sdk.getIssuerOrigin()) {
return reject(new AuthSdkError('The request does not match client configuration'));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does it make sense for the error message to be a bit more specific about what doesn't match

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I vaguely recall some discussion around this back when the original code was put in. We want to be careful not to leak any sensitive information, since it does indicate a mismatch between token and app configuration (which is not expected, unless the app has a bug or there are multiple apps on the same domain, like with localhost) - so the error should not be seen by end-users. Welcome for suggestions on this, maybe there is a message which is more helpful but does not reveal anything too specific.

@aarongranick-okta aarongranick-okta merged commit fa77f3a into v3.0 Jan 22, 2020
@aarongranick-okta aarongranick-okta deleted the ag-issuer-OKTA-141145 branch January 22, 2020 21:38
@aarongranick-okta aarongranick-okta mentioned this pull request Jan 31, 2020
Merged
@aarongranick-okta aarongranick-okta mentioned this pull request Mar 4, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swiftone swiftone swiftone approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@aarongranick-okta @swiftone