Skip to content

No event emitted for failure to completeAuthorizationRequestIfPossible() in browser #228

New issue
New issue
Open
Open
No event emitted for failure to completeAuthorizationRequestIfPossible() in browser#228
@ruvieeto

Description

@ruvieeto
ruvieeto
opened on Oct 8, 2024

Expected Behaviour

[REQUIRED] Describe expected behavior

When there is a state or redirect_uri mismatch, an event should emitted that can be used to detect this mismatch instead of simply logging to the console.

Describe the problem

When an authorization request fails due to a state or request_uri mismatch, there is nothing to hook into or listen to, that can be used to detect when that happens.

[REQUIRED] Actual Behavior

As part of our OIDC PKCE flow for authenticating application users, we use the completeAuthorizationRequestIfPossible() method to process a response from the OpenID Connect Provider.

We noticed an issue in our application where users were bookmarking (or their browser autocompletes to) the /callback route in our application. This callback route uses AppAuth-JS to process the response from the IdP. The problem is, users are bookmarking this callback route containing an old auth code and state.

When a user accesses this URL, it ultimately leads to a state mismatch as there is no pending request in local storage.

At this point, the authentication process ends with a log to the console.

From what I can see, there is no event emitted that we can listen to when this happens or relevant error thrown, which leaves our application "idle" without us knowing.

Is there currently something that we can hook into or listen to which indicates that this has happened?
If not, can something be provided?

Note: There are other instances that can lead to this failure path e.g. a user bookmarking an OpenID Connect Provider URL containing our application's redirect_uri but a state from a previous request. After authenticating with the IdP, the user is redirected successfully but hits a "dead end".

[REQUIRED] Steps to reproduce the behavior

Options to reproduce:

  • Remove the pending request from the browser local storage before attempting to process a response OR
  • Include an invalid state in the URL that does not match the state in the pending request stored in the browser local storage

[REQUIRED] Environment

  • AppAuth-JS version: 1.3.2
  • AppAuth-JS Environment (Node, Browser (UserAgent), ...): Browser
  • Source code snippts (inline or JSBin) N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions