Firefox silent refresh changes main page URL

[wentzt-engtech]

I ran into an issue in Firefox where the silent refresh was triggering a location change which is causing an issue for us. This was brought up before in #408. The clearing of the hash in Firefox results in the '#' character being added to the URL. There is code to prevent clearing the hash if it is not an oidc flow by checking preventClearHashAfterLogin which appears to only be set when doing a silent refresh.

angular-oauth2-oidc/projects/lib/src/oauth-service.ts

Line 1360 in 0274cf5

if (this.clearHashAfterLogin && !options.preventClearHashAfterLogin) {

However, for oidc, the hash gets cleared in the processIdToken then() just a little bit below, and preventClearHashAfterLogin does not get checked.

angular-oauth2-oidc/projects/lib/src/oauth-service.ts

Line 1386 in 0274cf5

if (this.clearHashAfterLogin) {

It looks like the additional check should be added to that line so that silent refreshes don't affect the main document location/URL when using oidc.

I also noticed that the iframe url keeps the tokens in the URL hash. I don't know if that is the expected behavior. Either way, from the discussion in #408 (comment) it doesn't sound like the silent refresh should affect the main document's URL/location.

Thanks!

[LouisBernath]

I have the same issue.
From what I saw in the debugger, location.hash gets cleared correctly in the code. But Firefox if window.location.hash is empty and the code (you mentioned above) re-sets with an empty string '', firefox will add an '#' at the end of the url.

I'm not sure if this is standard compliant behaviour or a firefox bug...

Edit: here a simple javascript repro that demonstrates the problem
https://gist.github.com/Burnaster/ba69a7307b7a423acd78186937185ed2

[pfbrowning]

This issue affects me as well. My workaround is to turn off clearHashAfterLogin after processing the initial login:

this.oauthService.loadDiscoveryDocumentAndTryLogin()
	.then(() => {
		this.oauthService.setupAutomaticSilentRefresh();
		this.oauthService.clearHashAfterLogin = false;
	})

You can set clearHashAfterLogin in your configuration. However I'm waiting until after a successful initial login before turning it off because I do want to clear hash on the initial login: I just don't want to clear it on silent refresh.

This seems to solve the problem, but it's a workaround rather than a proper fix. As originally suggested by @jeroenheijmans in #408, I think that a proper solution would involve updating this:

angular-oauth2-oidc/projects/lib/src/oauth-service.ts

Line 1654 in a1652dc

if (this.clearHashAfterLogin) {

such that we're also checking to ensure that there actually is a hash value before clearing it. Something like:

if (this.clearHashAfterLogin && location.hash != '') {
	location.hash = '';
}

[jeroenheijmans]

I confirmed this bug using my sample repo after disabling the very same clearHashAfterLogin = true workaround. We also encounter this in our production application, where setting an empty # causes Firefox to scroll to the top, which is especially annoying if a silent refresh triggers it!

I also confirmed that adding the extra check for ... && !options.preventClearHashAfterLogin does the trick.

I'll add a PR to update this.