You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was looking for suitable client OIDC OAuth2 javascript library to my Single page application(SPA). I researched and came accross this plusauth oidc-client library and looks very impressive and promising as it handles more use cases and feature rich for SSO login support. But i have this access token renewal with refresh token api call and faced some issues as i mention in below. I followed steps as per your documentation and saw some shortcomming in handling refresh token. SO i think it's worth bringing as issue and getting it addressed.
Environment: AWS Cognito as OIDC Provider.
Issue 1 - Retention of Refresh Token in OIDCClient:
The OIDCClient is not retaining the existing refresh token after its initial use to refresh the access token. This poses a problem, especially in scenarios where OIDC providers might have refresh token rotation policies that allow reusing the existing refresh token until it expires. In the case of AWS Cognito, which I'm using as the OIDC Provider, there is no provision to return the refresh token along with the renewed access token and ID Token during the refresh process. This results in a disrupted flow after the first refresh because the OIDCClient is not preserving the original refresh token. I researched on stackoverflow and other recomandations that during access token renewal, we will not get back refresh token. so in this api the refresh token is getting overwritten as blank. I was able to resolve it as an example below, there could be other ways too, but the refresh token has to be retained till user logout or it expires.
Issue 2 - Validation of IDToken in Handle Token Result Method:
The "handleTokenResult" method of client.ts calls the "validateIdToken" of jose.ts to validate the ID Token both during the initial authentication and when refreshing the access token. However, it appears that the validation process is checking for a valid nonce in the ID Token. This nonce is provided by the server during authentication using login credentials such as a username or email and password. Notably, when refreshing the access token using the refresh token (and not the credentials), the server does not include the nonce in the ID Token. Therefore, during the token validation process for refresh, If it can be optional and if not present, it should not validate for a valid nonce since it is not required in this context.
It's important to mention that I've also passed the nonce in the OIDCClient constructor during initialization. However, the OIDCClient is currently considering the nonce from the server, which may lead to this inconsistency in the validation process. So it could be made optional in this validation process.
I've arrived at these conclusions based on my analysis, research, and debugging. If there are any recommended adjustments or configurations that could be made within the OIDCClient library to address these issues, I would greatly appreciate your guidance on how to overcome them. Furthermore, if these observations are indeed indicative of bugs or shortcoming within the library, I kindly request your assistance in resolving them so that it may help more user community like me.
Thank you
The text was updated successfully, but these errors were encountered:
Hello,
I was looking for suitable client OIDC OAuth2 javascript library to my Single page application(SPA). I researched and came accross this plusauth oidc-client library and looks very impressive and promising as it handles more use cases and feature rich for SSO login support. But i have this access token renewal with refresh token api call and faced some issues as i mention in below. I followed steps as per your documentation and saw some shortcomming in handling refresh token. SO i think it's worth bringing as issue and getting it addressed.
Environment: AWS Cognito as OIDC Provider.
Issue 1 - Retention of Refresh Token in OIDCClient:
The OIDCClient is not retaining the existing refresh token after its initial use to refresh the access token. This poses a problem, especially in scenarios where OIDC providers might have refresh token rotation policies that allow reusing the existing refresh token until it expires. In the case of AWS Cognito, which I'm using as the OIDC Provider, there is no provision to return the refresh token along with the renewed access token and ID Token during the refresh process. This results in a disrupted flow after the first refresh because the OIDCClient is not preserving the original refresh token. I researched on stackoverflow and other recomandations that during access token renewal, we will not get back refresh token. so in this api the refresh token is getting overwritten as blank. I was able to resolve it as an example below, there could be other ways too, but the refresh token has to be retained till user logout or it expires.
ex:,
private async handleTokenResult( tokenResult: TokenResponse, authParams: AuthRequestOptions,
finalOptions: IPlusAuthClientOptions ){
...
....
...
if(tokenResult.refresh_token){
return {
authParams,
user,
...tokenResult,
id_token: parsedIDToken,
id_token_raw: tokenResult.id_token,
scope: tokenResult.scope || authParams.scope,
}
}
else{
return {
authParams,
user,
...tokenResult,
refresh_token: this.refreshToken,
id_token: parsedIDToken,
id_token_raw: tokenResult.id_token,
scope: tokenResult.scope || authParams.scope,
}
}
}
Issue 2 - Validation of IDToken in Handle Token Result Method:
The "handleTokenResult" method of client.ts calls the "validateIdToken" of jose.ts to validate the ID Token both during the initial authentication and when refreshing the access token. However, it appears that the validation process is checking for a valid nonce in the ID Token. This nonce is provided by the server during authentication using login credentials such as a username or email and password. Notably, when refreshing the access token using the refresh token (and not the credentials), the server does not include the nonce in the ID Token. Therefore, during the token validation process for refresh, If it can be optional and if not present, it should not validate for a valid nonce since it is not required in this context.
ex:
export function validateIdToken( id_token: string, nonce: string, options: IPlusAuthClientOptions, refreshToken:string | undefined ) {
....
...
if (refreshToken !== undefined && nonce !== jwt.payload.nonce ) {
throw new Error(
Invalid nonce in id_token: ${ jwt.payload.nonce }
);}
.....
}
It's important to mention that I've also passed the nonce in the OIDCClient constructor during initialization. However, the OIDCClient is currently considering the nonce from the server, which may lead to this inconsistency in the validation process. So it could be made optional in this validation process.
I've arrived at these conclusions based on my analysis, research, and debugging. If there are any recommended adjustments or configurations that could be made within the OIDCClient library to address these issues, I would greatly appreciate your guidance on how to overcome them. Furthermore, if these observations are indeed indicative of bugs or shortcoming within the library, I kindly request your assistance in resolving them so that it may help more user community like me.
Thank you
The text was updated successfully, but these errors were encountered: