-
Notifications
You must be signed in to change notification settings - Fork 44
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Potential client issues when cache contains invalid values #2088
Comments
At a first glance, I would say that the issue is on the server-side, but it may be a wrong understanding of the |
It makes sense. I'm not sure what the correct way is to interpret this for the prompt parameter, so I'll see how feasible it is to let the OIDC library perform a redirect instead just to improve the potential user experience. |
Had a deeper look into the OIDC library which caused me to find some more relevant information. The library does redirect in case of error, but only if it can verify that the provided This is also what the OpenID spec says at https://openid.net/specs/openid-connect-core-1_0.html#AuthError
Now of course the argument could be made that it's simply the server's fault for deleting the client metadata, but turns out that this is not really something that can be fixed server-side when following that requirement. |
I'm also experiencing this issue in projektor when trying to re-login to inrupt's ESS after re-opening the page. The user is then stuck in the login flow and i don't know how to catch this error client-side. Does the solution maybe include a reset of the login flow when this error occurs so that users just start again at the username/password form? |
@ludwigschubi could you give a bit more details about your issue so that we could reproduce ? In particular, I have two questions:
|
@NSeydoux It's using dynamic client registration (ref) The exact error is: {
"error": "invalid_client",
"error_description": "Invalid client_id"
} I didn't use a client identifier resource because I am not sure how it will work when a user tries to use an idp other than ess or how to set it conditionally based on the version of the used idp. Maybe that isn't even needed and done internally by solid-client-authn-js?
Not sure actually, I just went back and forth a lot until it started working again, i guess it deleted the cached client information at some point while doing that Sorry that I can't give more info on how to reproduce but I also don't really know what causes it, I just heard from people using the app that after 1-2 days of consecutive logging in it started raising the error |
It seems to have been resolved itself after adding the client identifier resource |
Search terms you've used
session, cache
Impacted package
Which packages do you think might be impacted by the bug ?
Bug description
This is not really a bug (I think), but more of a potential situation that can arise. I'm mostly curious about who is responsible here and how this behaviour should be caught. I accidentally discovered this when doing tests with mashlib, but this can be reproduced using
packages/browser/examples/demoClientApp
.To Reproduce
const defaultIssuer = 'http://localhost:3000/;
):solid-client-authn-js/packages/browser/examples/demoClientApp/src/DemoClientApp.js
Line 27 in 9d3ed0a
http://localhost:3001
) and log in.internal/idp/adapter/
folder).http://localhost:3001
.The error is expected as the server no longer knows the client. The problem is that there is now no way to use the client any more: every time the user tries to browse to the client it will immediately get the redirect above. The only way to solve it is to clear the browser cache for
localhost
.The thing I'm wondering now is: is this expected/acceptable behaviour?
If not, who should handle this more gracefully?
Should the server still call the callback URI even in case of error?
Should the client somehow check if the browser cache still contains valid values?
Should it not automatically try to redirect if it detects a cache?
Environment
v1.11.7 of the browser authn client
The text was updated successfully, but these errors were encountered: