A trick to pass the authentication control
avanceaw opened this issue · 1 comments
avanceaw commented
Hi, I have a problem with our web app using this AuthProvider where its quite easy to get round the authentication control against our oidc backend service. This by adding empty oidc items to the local/session storage.
How to do:
- Browse to e.g. http://localhost
- In dev console run following js code:
window.localStorage.setItem('oidc.foo', '{}')
window.sessionStorage.setItem('oidc.user:<theUrlToOIDCService>:<theClientId>', '{}') - Change the url to the app, e.g. http://localhost/myapp
- The app is loaded and has skipped the authentication request to the backend
It seems like the app thinks that user is already signed in and redirects to the main page. But I dont really know if we have implemented this in a bad way or if its this component having this issue?
Thanks for any input.