-
Notifications
You must be signed in to change notification settings - Fork 689
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validating access_token failed, wrong state/nonce #728
Comments
more info to understand this issue, |
Ermmm, it's been no more than 20 hours since you initially posted 😅 - there's not a large community here so it might take way longer to get an answer for questions. If you need faster feedback you could try Stack Overflow (they tend to have strict(er) rules about what you need to provide in a question for it to be answerable), or a colleague or paid consultant... As a footnote, after glancing at your code, I can mention I had more success by providing configuration and storage options via the module, you could try if that helps fix your issue? |
OP, did you ever try my suggestion? If not, could you help us figure out if you suspect a bug in the library, or have a question for help with your own implementation? For the latter I recommend Stack Overflow or a colleague/consultant though... |
Can you please retry this with this libs version 9.1 when it ships later today? |
TL;DR Ran into the same error with version 8.0.4 and it worked after upgrading to 9.2.0 My config: private readonly config: AuthConfig = {
issuer: environment.loginServiceUrl,
redirectUri: window.location.origin + '/index.html',
clientId: '...',
requestAccessToken: true,
requireHttps: false,
disableAtHashCheck: true,
oidc: true,
scope: 'oidc account profile offline_access api',
showDebugInformation: true,
disablePKCE: true,
skipSubjectCheck: true,
}; and used With 8.0.4, I got the same error: |
I am using version 9.2.1 with IdentityServer 4 and have the same problem.
If I enter the url again I am immediately logged in without any problems. To reproduce the problem I had to clear the browser cache. My configuration looks like this: {
issuer: environment.baseUrls.identityUrl,
redirectUri: environment.baseUrls.uiUrl,
postLogoutRedirectUri: environment.baseUrls.uiUrl,
clientId: 'spa',
scope: 'openid profile email services.api.read',
silentRefreshRedirectUri: environment.baseUrls.uiUrl + '/silent-refresh.html',
clearHashAfterLogin: false
} and later using: Is there any way to skip the nonce check? |
I'm have the same issue when using this.oauthService.loadDiscoveryDocumentAndLogin() Has this issue been fixed? |
Exact same issue here (9.2.2). "Validating access_token failed, wrong state/nonce." The document is loaded, the login form is displayed and the redirect works (with the code and token in the URL) -> cannot finalize login process and get my token :( |
I had the same issue using version 9.2.2 and Chrome or Firefox. I am still wondering though why the issue did not appear on Safari. |
The worst part of this is, the exception thrown causes an uncoverable application state in a way, that i am not able to redirect the user to any other page. So again my question, is there any way to disable the nonce check or atleast let it not throw an error? |
The ability to disable the nonce check might not be feasible, If I recall correctly it's mandatory by the spec? Certainly there should be either:
However, I am thinking about closing this specific issue. The original poster never responded anymore or tried Manfred's suggestion. Others commenting later about having the same symptom might or might not experience the same cause, but we have no up to date reproducible scenario. So it might be better if someone opens a fresh issue with a reproducible scenario using the latest version of the library (or at the least post one in this issue), so we can trace the cause and fix that? Again, by no means do I want to say that "there's no issue", I'm just looking for the clearest, most efficient path to getting a repro, and ultimately getting things resolved. |
I also encountered the same error. i did not make any changes to this repository.
|
EDIT: I managed to get it to work using #728 (comment). This should still be fixed or documented somewhere that it is necessary.
Just created a fresh project using angular CLI and followed the minimal example and getting this error. The |
Hi @jeroenheijmans , I had partial success with the below code
I have implemented the library in APP_INITIALIZER and using version 10.0.3. |
I had the same issue and it turned out that for us using localStorage was the problem. In my module i had:
The library then seems to mix session and localStorage resulting in the nonce being retrived from the "wrong" one. We swiched to sessionStorage (the default) and it works fine now. (version 9.0.1) |
The issue can be reproduced with the sample app:
-> After the redirect back to the sample app the main content of the app is empty.
|
Maybe the problem occurs if you do not use the default storage and you use the authorization already in the APP_INITIALIZER because the storageFactory for OAuthStorage is not yet initialized and the default is used instead of the configured one. |
I can only reproduce on Firefox, Chrome is fine. |
I wrote a workaround that stores the nonce and pkce verifier in localstorage. I would like to understand what's going on and why only firefox. I suspect maybe firefox handels localhost differently. Anyhow I implemented the OAuthStorage class like this and provided it in my core module.
|
I am able to reproduce this issue with the below code Custom storage import { OAuthStorage } from 'angular-oauth2-oidc';
export class MemoryStorageService implements OAuthStorage {
private data = new Map<any, any>();
getItem(key: string): string {
return this.data.get(key);
}
removeItem(key: string): void {
this.data.delete(key);
}
setItem(key: string, data: string): void {
this.data.set(key, data);
}
} Login Module export function createDefaultStorage() {
return new MemoryStorageService();
}
@NgModule({
imports: [
CommonModule,
HttpClientModule,
OAuthModule.forRoot({
resourceServer: {
allowedUrls: [], //http://www.angular.at/api allowed url we can add it here.
sendAccessToken: true
}
})
],
providers: [
{ provide: OAuthStorage, useFactory: createDefaultStorage }
]
})
export class loginModule {} |
@manandkumaar Well that makes sense. Both Implicit and Code flow include a redirect. After the redirect your Storage implementation will have 'lost' the Think of it this way:
In short, you can not use a full Hope that helps! |
So is the issue that the library is not using local or session storage by default? Considering that authorization code flow is the only flow to be used for OIDC according the current OAuth2 BCP this should either be documented properly or the default changed. The only use case a memory store would make sense is ROPC which is not recommended. |
Careful, my comment was a reply very specific to another user. In their snippet they override the default. The default from the library is |
I think the issue is that Firefox somehow clears the state from sessionstorage before navigating to the identity provider
… On 24 Mar 2021, at 13:23, Jeroen Heijmans ***@***.***> wrote:
So is the issue that the library is not using local or session storage by default?
Careful, my comment was a reply very specific to another user. In their snippet the override the default.
The default from the library is sessionStorage.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
There's many different people in this thread commenting, probably experiencing the same symptoms and possibly the same root cause. ⁉ What we really need is a reliable (and preferably minimal) way to reproduce this. For example:
Without a reproducible scenario, we can't find the root cause, or verify if people have the same or separate issues. I'm happy to help investigate, but all we have to go on currently are various partial code snippets, too many blanks to fill in. |
Hi @jeroenheijmans - some time ago I posted how I could reproduce the issue with the sample app: #728 (comment) |
Thx @synth3, I've traced the problem in the sample application and will add a PR to fix it there. This also strengthens my suspicion as to what other people in this thread are experiencing. ⚠ Important: read this if you have the same symptoms!Most likely you have the same problem as the sample application has. If you configure The easy way to validate if this is happening to you, is if you get an error similar to:
Check both Solution in this case: make sure you Another (dirty!) way to check if you have this problem is by doing Also, I personally prefer a different approach, which you can try in your app to solve the issue. It relies on using Angular DI to provide storage and config, and a very specific login sequence. If you still believe you have the same symptom but a different root cause: please open a fresh issue, but do include precise steps to reproduce the issue. That way we can trace any further bugs. Thanks!! |
Use same storage regardless of flow in sample The "smart" way to select a different storage type in the sample was causing issues. Sometimes the `setStorage(localStorage)` call would be made just before the _first_ time someone uses Code Flow which after the redirect causes the app to look in `sessionStorage` for the nonce (which it wont find as the initiation of Code Flow still used the localStorage). This fix changes it to always use the same storage type, which gives more reliable results. (I did consider further tweaking the "smart" way to select the right storage, but it's super hard to predict in which order(s) users will swap between flow types in the sample). See also: manfredsteyer#728 (comment) Fixes manfredsteyer#728
I'm having the same problem with the Firefox browser and Code Flow. |
@mliotinoca That's unfortunate! But plz create a (preferably minimal) way for us to reproduce the issue, otherwise there's no way to tell if it's a bug or not. |
@jeroenheijmans I'm sorry but at the moment I have no way; I can only add that the issue also occurs on Safari on iPad. |
No worries, but then we can't do much more here of course. (Except merging my PR to solve the version of this bug that is reproducible.) |
Thanks for all the efforts. Can the fix be merged and released? |
We had same symptoms. In our case the problem was us hosting in http and testing in firefox(v. 92) incognito mode. |
I have the same error when I duplicate application into the new tab in browser. My configuration file is:
|
@jeroenheijmans Thanks! |
This is a tough one. We are trying to reproduce for a really one-off use case and can't figure it out. I think part of the reason so many errors pop up, is that state/noonce is the first line of defense against replays. So many people are saying this error is happening, but really what they are saying is that the app isn't properly re-issuing a new token. Update: found a bug will report soon take a look at code here:
^ it always assumes that there will be one authentication happening across the app, and that it will always be nonce. So some people
My solution for this, would be a way to setup a module that is self contained to the component that are using it's services. That way, the name through and through can be propagated e.g. As a quick fix, what we are doing now is overriding the OAuthService and inserting our own code e.g.
|
I have a weird issue, because in my case nonce validation happens in... password flow. I tried to use this custom storage solution, and there is no call to save nonce in the storage - it's only being read from it. @jeroenheijmans do you have an idea why there is a nonce validation in password flow? My app does not send nonce. I know that it might be impossible to guess without an example, but we started to have this error message after upgrading from 10.0.3 to 13.0.01 |
I ran into this too. Specifically the user clicking on the link in a registration confirmation email using Firefox and Keycloak caused the What fixed this was changing the order of the providers array in the Module that configures the OAuthModule. Moving the OAuthStorage provider in the first position. Referring to this sample: https://github.com/jeroenheijmans/sample-angular-oauth2-oidc-with-auth-guards/blob/f0d6f99ba82dbe774710064c7af4631df4420713/src/app/core/core.module.ts#L32-L34 - move line 34 above line 32. So Instead of:
provide OAuthStorage first:
maybe this helps someone. :) |
@akolata Sorry, I'd stepped back a bit from moderating/answering issues here (see #1280), so I'm relying on the rest of the community to chip in. It seems @qirex found a way to move forward? They're referencing my own sample 😅 and although I'm not sure why the order of providers matters, it might be a fix for you too? Good luck! |
I believe I have found the root problem for this issue. It seems to be related to prefetching in Chrome. I have posted a detailed comment on this currently open issue in the Chromium project: |
Still see this issue in v17, problem that saved nonce is different from that which is in storage |
I've integrated OAuth Implicit flow in Angular 8 App, I've been getting below issue initial time especially in Firefox (incognito).
Initial time, there is no nonce in the local storage, how can it validateNonce (angular-oauth2-oidc.js - 2358 line) execute? This method is being thrown an exception initial time.
Desktop (please complete the following information):
The text was updated successfully, but these errors were encountered: