Create redirect auth_callback to a protected site

[LisaTatum]

Hi Scott,

first I want to say thank you for your sample. It works as demo but I am missing some real life ascpects it could consider ;-)

According to http://openid.net/specs/openid-connect-core-1_0.html you just have to define a redirect uri registered at the IdP thats it.

Well there are open questions looking at your sample:

1. Should the auth_callback route be protected by an AuthGuard? Only authorized user should activate that route?
2. If not, my real life application has ONLY protected routes. The Register route is done at another application and the Login is done by the IdP mvc ui. So when my auth_callback route has an AuthGuard
   then the auth_callback_component with the authService.completeAuthentication() function will NEVER be called because the AuthGuard is called FIRST doing this:

  canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): boolean | Observable<boolean> | Promise<boolean> {
      if(this.authService.isLoggedIn()) {
        return true;
      }

      this.authService.startAuthentication();
      return false;
  }

The authService.isLoggedIn check wether the user is !== null thus the user was not reloaded here yet by the completeAuthentication function the startAuthentication function will be called. This again triggers the auth_callback route and everything starts again... now it gets recursive...

As I said my app has only protected routes. And making a redirect after authorization to the auth_callback route always hits the AuthGuard first which wants to start the authentication again as the user is null.

Do you get my dilemma?
Maybe you have an idea :-)

[bertsinnema]

@LisaTatum Since you closed this issue have you found a solution? I too have this issue. It looks like it's caused by a race condition. Basically the canActivate codeblock is doing it's check before the constructor of the injected AuthService has finished as the Promise which is getUser() has not returned yet.