oidc-client
oidc-client copied to clipboard
AxaFrance
Option to support "globally allowed" OidcTrustedDomains.js
OidcTrustedDomains.js is currently forced to be filled in and the service worker will then only function on these domains. I've made a tenant like system where multiple domains end up in the exact same application and it's impossible for me to know which application urls these are (they come from the database).
It would be nice that in certain scenarios that you could say
const trustedDomains = {
default: ["*"]
};
To allow any domain to use the service worker.
The way I currently intend to solve this is by making a small REST api endpoint which simulates the content of OidcTrustedDomains.js which takes priority over the application itself but I don't know how (or if) that is gonna work.
This has a little bit of haste behind it as I cannot currently get my deployed application to work without this feature.
Hi @Thodor12 , thank you very much for your pullrequest and your issue. I will check it on monday, i have a busy week end. Do you know that allowing every domains your application will be weak against Xss attacks. It would be possible for a hacker to retrieve easily the accesstoken and i think also refresh token.
Do you have the possibility to retrieve dynamicaly your domains from trusteddomains.js files? It would be a lot more secure.
I was thinking of the possibility to customize routes/domains like for example:
Https//*.toto.com/api/ <-- i would set a star at the end but i cannot because it it makdown
Which will resolve your use case too. But i think i would print big warning that just * it very weak.
My domains are completely random as they are user defined. I thought about providing an endpoint to load the OidcTrustedDomains.js file but that is out of the picture because this file is not actually fetched as a HTTP request from the service worker, it's just a webworker import require so that will not work.
I'm only hosting 1 actual built React application, so those files are "static files" served by a simple nginx container. So there's no dynamic loading possible.
The only way I see is by self managing the service worker file, providing the source through a HTTP endpoint myself and then embedding the trusted domains file directly in there, completely bypassing the generated service worker, but that will give me longevity problems with updates which is less than ideal.
As far as XSS goes I'm not worried, these tokens are specially signed from the backend to only work for that given domain, (plus people can grab the token anyway from the inspect element screen). They are also JWT tokens in the end so they are not possible to be modified. (On top of that my tokens are encrypted using the ASP.NET Data Protection stack so they're practically impossible to reverse engineer)
These domains are used to feed my Traefik instance to set up dynamic routing for these domains, so I do have them stored in a database, as you can see in the image below these can be any domain (I redacted the original ones for privacy reasons).
I require my customers to actually setup DNS entries on their own host to point to this server.
Each of them then gets pointed towards the docker container for nextlevel-frontend, which is where the application using react-oidc lives.
Maybe we could just support this and mention it in the README, but with a disclaimer saying it's not recommended and should only be used "if you know what you're doing".
Hi @Thodor12 , don't worry I think I will merge your PullRequest tomorrow when I will be able to test it. Yes, warning in documentation woulb be great.
After, i will improve you * system to be able to select path or subdomains or anything else ^^
I have merge it. Than you very much @Thodor12 ! I keep the issue open. I will enhance the code to support Https//*.toto.com/api/ <-- i would set a star at the end but i cannot because it it makdown configuration
and add Warning inside documentation about allowing every domains.
I have merge it. Than you very much @Thodor12 ! I keep the issue open. I will enhance the code to support Https//*.toto.com/api/ <-- i would set a star at the end but i cannot because it it makdown configuration
and add Warning inside documentation about allowing every domains.
Hello @guillaume-chervet, did you get to work on this one? How can I be of any help in giving a PR? I have not much idea about how the whole code base works, but i can try
Hi @abhilashlr7 , it is already working.
I keep the issue open because i want to enhance the way to configure trusted domains with stars or regex 😀
yes, that is exactly what I am looking for.
I'd need support like https://*.abc.com/path. I could get a way working now in our application, but wouldn't scale well in the long run when updates are pushed. I will see if I can send that as a PR soon
It would be awesome @abhilashlr7 :)
https://github.com/AxaGuilDEv/react-oidc/pull/935 addresses this one. but it is regex based. Let me know if that works.
Thank you @abhilashlr, I have tested it and merged it so last published version contained it. I keep the issue open to update the documentation.
Thank you @abhilashlr, I have tested it and merged it so last published version contained it. I keep the issue open to update the documentation.
Ah! Apologies to have missed it out. Will send a PR for that soon.