Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Listen for storage to receive auth hash from popup #935

Merged
merged 2 commits into from
Jul 16, 2021

Conversation

l1b3r
Copy link
Contributor

@l1b3r l1b3r commented Sep 13, 2020

Currently, initLoginFlowInPopup method is expecting to receive a message from the popup via postMesage by subscribing to it via:

window.addEventListener('message', listener);

Unfortunately this doesn't always work: when the auth provider is on a different domain and the auth process includes redirects within the popup to even more upstream authentication authorities on a third domain and the flow eventually comes back to the original application domain, the popup no longer "remembers" its window.opener. AFAIU this is done for security reasons.. This means that the popup has no one to postMessage to, and the parent application is left there waiting forever.

This MR suggests adding a storage event fallback. The parent application launches the popup and listens for two sources instead of one: 'message' events (received by postMessage on the other side) and 'storage' events, which the popup can fallback to if it has no parent or opener to refer to.

Here's an example of the silent-refresh.html to support the idea:

<html>
<body>
<script>
    if (window.parent && window.parent !== window) {
        // if loaded as an iframe during silent refresh
        window.parent.postMessage(location.hash, location.origin);
    } else if (window.opener && window.opener !== window) {
        // if loaded as a popup during initial login
        window.opener.postMessage(location.hash, location.origin);
    } else {
        // last resort for a popup which has been through redirects and can't use window.opener
        localStorage.setItem('auth_hash', location.hash);
        localStorage.removeItem('auth_hash');
    }
</script>
</body>
</html>

@l1b3r
Copy link
Contributor Author

l1b3r commented Sep 13, 2020

Also reflected the necessary changes to silent-refresh.html in the docs and in the sample application.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants