A trick to pass the authentication control

Question

A trick to pass the authentication control

avanceaw opened this issue 2 years ago · 1 comments

Hi, I have a problem with our web app using this AuthProvider where its quite easy to get round the authentication control against our oidc backend service. This by adding empty oidc items to the local/session storage.

How to do:

Browse to e.g. http://localhost
In dev console run following js code:
window.localStorage.setItem('oidc.foo', '{}')
window.sessionStorage.setItem('oidc.user:<theUrlToOIDCService>:<theClientId>', '{}')
Change the url to the app, e.g. http://localhost/myapp
The app is loaded and has skipped the authentication request to the backend

It seems like the app thinks that user is already signed in and redirects to the main page. But I dont really know if we have implemented this in a bad way or if its this component having this issue?

Thanks for any input.

Answer 1 · 2023-03-01T19:17:17.000Z

Hello, @avanceaw!

Thanks for opening this up. It's intended to set a signed in state based on these localStorage. oidc-react does not handle any of this directly, we use the underlying library oidc-client-ts. Feel free to open a issue there though :)