Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

An unnecessary method call to get a token leads to a CORS error #1436

Open
xzdwq opened this issue Aug 8, 2024 · 2 comments
Open

An unnecessary method call to get a token leads to a CORS error #1436

xzdwq opened this issue Aug 8, 2024 · 2 comments

Comments

@xzdwq
Copy link

xzdwq commented Aug 8, 2024

Hi!
My config:

import { OidcClient, OidcConfiguration, TokenAutomaticRenewMode } from '@axa-fr/oidc-client';

const configuration: OidcConfiguration = {
  client_id: 'x',
  redirect_uri: window.location.origin + '/auth/oidc/callback',
  silent_redirect_uri: window.location.origin + '/auth/oidc/callback',
  scope: 'openid profile email',
  authority: 'https://adfs.x.com/adfs',
  storage: localStorage,
  token_renew_mode: 'access_token_or_id_token_invalid',
  token_automatic_renew_mode: TokenAutomaticRenewMode.AutomaticBeforeTokenExpiration,
  preload_user_info: false,
  monitor_session: false,
  refresh_time_before_tokens_expiration_in_second: 70,
  service_worker_only: false,
  extras: {
    response_type: 'id_token token',
    response_mode: 'query',
  },
};

const oidcClient = OidcClient.getOrCreate(() => fetch)(configuration);

export { configuration, oidcClient };

After successful authorization on the AD FS side, the redirect takes place back to the application and returns the following parameters to me:

http://localhost:4444/auth/oidc/callback
#access_token=ey...
&token_type=bearer
&expires_in=3600
&id_token=ey...
&scope=email%20profile%20openid
&state=UQB...

This is enough for me to authorize the user inside the application, but I have to call the method:
oidcClient.loginCallbackAsync()

The method calls the URL:
https://adfs.x.com/adfs/oauth2/token/
When accessing which I get a CORS error.

I don't need to call https://adfs.x.com/adfs/oauth2/token/, because I already know it.
Is there a way to not call URL https://adfs.x.com/adfs/oauth2/token/ and process the oidcClient.loginCallbackAsync() method?

Versions

"@axa-fr/oidc-client": "^7.22.22-alpha.1536",

Expected

When specifying response_type: 'id_token token', do not make a separate request for the token
@guillaume-chervet
Copy link
Contributor

Hi @xzdwq , do you know the name of this flow?
Thank you for your issue.
So you you receive the access_token during the callback and does not need something more?

@xzdwq
Copy link
Author

xzdwq commented Aug 10, 2024

@guillaume-chervet
I do not know if this flow has a name, but this is the policy in our company. We get information about the user from id_token, and validate work with services using access_token, it also contains "expired" information.

Maybe there is an optional option to use access_token as the main one?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@guillaume-chervet @xzdwq