Auth successful with invalid redirect_uri

Question

Auth successful with invalid redirect_uri

Closed this issue 3 months ago · 5 comments

Issue and Steps to Reproduce

Description

With the following configuration for OIDC:

const configuration: OidcConfiguration = {
 client_id: 'movies-app',
 redirect_uri: `${window.location.origin}/authentication/nonsense`, // Invalid redirect URI
 // silent_redirect_uri: `${window.location.origin}/authentication/silent-callback`,
 scope: 'openid offline_access', // offline_access scope allows client to retrieve refresh_token
 authority: 'http://localhost:8080/realms/company-services',
};

And the following router configuration:

  {
    path: '/',
    element: <HomePage />,
  },
  {
    path: '/admin',
    element: (
      <OidcSecure>
        <BaseLayout />
      </OidcSecure>
    ),
    children: [
      {
        path: '',
        element: <Home />,
      },
    ],
  },
]);

Authentication is still successful, even though the redirect_uri is set to an invalid path /authentication/nonsense, and service workers are not enabled. How is this possible.
Steps to Reproduce

Configure the OIDC setup with the provided configuration object.
Initiate the authentication flow by navigating to the /admin route.
Observe that the authentication is successful, despite the invalid redirect_uri.

Versions

"@axa-fr/react-oidc": "7.22.0-alpha.1416",

Screenshots

Expected

Actual

Additional Details

Installed packages:

uhexos commented 3 months ago

ghosted

Answer 1 · 2024-06-15T21:45:10.000Z

Hi @uhexos ,
Thank you for your issue.
This is a normal behavior. The library is router agnostic and manage its own route internaly.

Answer 2 · 2024-06-15T22:17:25.000Z

so what is the point of the redirect uri if it has no impact on authentication, how can I get it to ignore the internal callback and use the one provided by me instead

Answer 3 · 2024-06-16T05:16:40.000Z

Redirect_uri should be configurable inside your oidc server and your oidc server should accept only the configured one @uhexos .

Answer 4 · 2024-06-16T20:16:52.000Z

Setting up the redirect_uri is fine I know it must exist on ther oidc server as well. I want the react-oidc to completely ignore the default behaviour and use the custom one I am providing only. How can I do that ? Also where can find the implementation for storing accepting/ processing the code token in the source files