oidc-client-ts icon indicating copy to clipboard operation
oidc-client-ts copied to clipboard

Published 20 hours ago verified publisher icon authts

Configuration of parameter includeIdTokenInSilentRenew has no effect

Open divid3byzero opened this issue 3 years ago • 7 comments

As per OIDC specification (https://openid.net/specs/openid-connect-session-1_0.html) an RP should send the current ID token of a user when attempting an silent renew via prompt=none call. To send the ID token using the id_token_hint query parameter as described in the specification the documentation states that the UserManagerSetting parameter includeIdTokenInSilentRenew should be set to true (it is false by default). It appears, though, that this configuration parameter has no effect as the ID token is not appended to the prompt=none call resulting in an error message from the OP.

On checking the code I found that the OIDC client configuration ist passed to the class UserManagerSettingsStore (https://github.com/authts/oidc-client-ts/blob/main/src/UserManagerSettings.ts) where the configuration parameters are assigned using the values set in the OIDC client. It seems that in the case of the parameter includeIdTokenInSilentRenew the value is hard coded to false and any other value that is configured using the settings object is simply ignored and the default value of false can thus never be overridden.

I need to be able to set this parameter to true as the OP I am using will refuse to process any promp=none calls without the id_token_hint parameter. Just to be clear: this behaviour of the OP is correct, it behaves exactly as stated in the specification. So this is something that needs to be fixed on the client (library) side. I can provide a pull request if whished.

I would also be glad if someone could point me in the right direction in case I am simply using the library in the wrong way or if I've overlooked anything.

divid3byzero avatar Jun 17 '22 10:06 divid3byzero

includeIdTokenInSilentRenew is used to set id_token_hint here: https://github.com/authts/oidc-client-ts/blob/bb04f0c418e92b818595f464e4d081515635cae4/src/UserManager.ts#L250

id_token_hint if part of optionalParams is appended to url here: https://github.com/authts/oidc-client-ts/blob/bb04f0c418e92b818595f464e4d081515635cae4/src/SigninRequest.ts#L111-L115

pamapa avatar Jun 17 '22 11:06 pamapa

Ok, thank you for the clarification even if it still does not solve my problem.

I'll go into a bit more detail. I am actually currently migrating from the "original" JavaScript version of this library to the Typescript version. Using the JS version of the library the prompt=none mechanism works fine. Using the TS version of the library the according call results in the aforementioned error sent by the OP stating that the id_token_hint is missing. So I must be missing something. So maybe I should rephrase my question: what do I have to do respectively configure so that the ID token is appended to the prompt=none call?

You said that the ID token will be appended if it is part of optinalParams. How do I do that?

divid3byzero avatar Jun 17 '22 12:06 divid3byzero

It seems that in the case of the parameter includeIdTokenInSilentRenew the value is hard coded to false a

What you saw is only the default. You should be able to set includeIdTokenInSilentRenew=true within your settings.

pamapa avatar Jun 17 '22 14:06 pamapa

Yes, that I understood. The problem that I have is that I cant manage to get the id_token_hint appendend to the prompt=none call. Using the JavaScript library it works, using this Typescript fork of the same library, it doesnt work. I thought that I have to set the includeIdTokenInSilentRenew parameter to true in the UserManagerSettings to enable the appending of the id_token_hint but that does not work. So now the question is, what do I need to do to make this work again.

divid3byzero avatar Jun 17 '22 14:06 divid3byzero

Can you check if you have a user and that this user has an id_token when doing the silent renew:

includeIdTokenInSilentRenew is used to set id_token_hint here: https://github.com/authts/oidc-client-ts/blob/bb04f0c418e92b818595f464e4d081515635cae4/src/UserManager.ts#L250

-> user?.id_token

A good point is to make there a break point and debug through or enable logging....

pamapa avatar Jun 17 '22 15:06 pamapa

That usage of includeIdTokenInSilentRenew is in the function signinSilent(...). This function is not called in the case of prompt=none requests. In the cases where a prompt=none is needed the querySessionStatus(...) function is called via the SessionMonitor class. Like I said, using the JavaScript version of this library, the one this library is a fork of, everything works perfectly fine. This Typescript clone though seems to do some things differently as the prompt=none call does not inlcude the ID token like the original JavaScript library does. The client code is exactly the same, it is the same application only the library was exchanged.

In any case, I will do as you suggested and debug.

divid3byzero avatar Jun 20 '22 06:06 divid3byzero

After a little debugging I found out that currently the id_token_hint query parameter is not supported for prompt=none calls. According to the OIDC session management specification the id_token_hint parameter should be included for these requests. Relevant part of the specification:

"When the RP detects a session state change, it SHOULD first try a prompt=none request within an iframe to obtain a new ID Token and session state, sending the old ID Token as the id_token_hint. "

I will provide a pull request that includes this "feature" and hope that you will accept it.

divid3byzero avatar Jul 08 '22 19:07 divid3byzero