Error: Tokens are not OpenID valid

[hagenderouen]

Issue and Steps to Reproduce

Receiving the following error during authentication: "Error: Tokens are not OpenID valid"

Versions

@axa-fr/react-oidc v6.14.6

Screenshots

Additional Details

I'm migrating from @axa-fr/react-oidc-context v3.1.7 where authentication was previously working with AD FS OpenId Connect. Here is my configuration:

const configuration: OidcConfiguration = {
  client_id: `${process.env.REACT_APP_CLIENT_ID}`,
  redirect_uri: \`${process.env.REACT_APP_BASEURL}auth`,
  scope: 'openid profile email',
  authority: `${process.env.REACT_APP_OIDC_URL}`,
  silent_redirect_uri: `${process.env.REACT_APP_BASEURL}authentication/silent_callback`,
  silent_login_uri: `${process.env.REACT_APP_BASEURL}authentication/silent_login`,
  service_worker_relative_url: '/OidcServiceWorker.js',
  service_worker_only: false
}

const adfsConfig: AuthorityConfiguration = {
  issuer: `${process.env.REACT_APP_OIDC_URL}`,
  authorization_endpoint: `${process.env.REACT_APP_OIDC_URL}/oauth2/authorize`,
  token_endpoint: `./proxy/proxy.ashx?${process.env.REACT_APP_OIDC_URL}/oauth2/token`,
  userinfo_endpoint: `${process.env.REACT_APP_OIDC_URL}/userinfo`,
  end_session_endpoint: `${process.env.REACT_APP_OIDC_URL}/oauth2/logout`,
  revocation_endpoint: `${process.env.REACT_APP_OIDC_URL}/oauth2/logout`,
}

Code for getting configuration based on environment was removed for brevity.

• Installed packages:
• @axa-fr/react-oidc

[guillaume-chervet]

Hi @hagenderouen, thank you for you feedback.

Do you have an example response from your oidc server?

the one with id_token, access_token and may be refresh_token.

It look like it does not pass some security check : https://github.com/AxaGuilDEv/react-oidc/blob/5a19496beac452461561da3f91163a6c3037be75/packages/react/src/oidc/vanilla/parseTokens.ts#L165

[hagenderouen]

Here is the structure of the tokens response:

{
    "tokens": {
        "accessToken": "redacted",
        "expiresIn": 3600,
        "idToken": "redacted",
        "scope": "email profile openid",
        "tokenType": "bearer",
        "issuedAt": 1676661694.738,
        "refreshToken": "redacted",
        "idTokenPayload": {
            "aud": "redacted",
            "iss": "redactedurl",
            "iat": 1676661693,
            "exp": 1676665293,
            "auth_time": 1676660680,
            "mfa_auth_time": 1676660682,
            "nonce": "readacted",
            "sub": "redacted",
            "upn": "redacted",
            "unique_name": "redacted",
            "pwd_exp": "10865159",
            "sid": "redacted",
            "email": "redacted",
            "apptype": "Public",
            "appid": "redacted",
            "authmethod": "redacted",
            "ver": "1.0",
            "scp": "email profile openid"
        },
        "accessTokenPayload": {
            "aud": "microsoft:identityserver:redacted",
            "iss": "redacted",
            "iat": 1676661693,
            "exp": 1676665293,
            "sub": "redacted",
            "email": "redacted",
            "apptype": "Public",
            "appid": "redacted",
            "authmethod": "redacted",
            "auth_time": "2023-02-17T19:04:40.305Z",
            "ver": "1.0",
            "scp": "email profile openid"
        },
        "expiresAt": 1676665293
    }
}

If you need additional information, please let me know.

[hagenderouen]

@guillaume-chervet It seems to be failing at: https://github.com/AxaGuilDEv/react-oidc/blob/5a19496beac452461561da3f91163a6c3037be75/packages/react/src/oidc/vanilla/parseTokens.ts#L186

[guillaume-chervet]

Thank you @hagenderouen for the information. I need tokens from network tabs request to understand the problem. Do you have that?

[hagenderouen]

@guillaume-chervet I'm not exactly sure how to share this safely but, I will try to provide as much details as possible.

Here is the structure of the token response:

{
    "access_token": "removed",
    "token_type": "bearer",
    "expires_in": 3600,
    "resource": "removed",
    "refresh_token": "removed",
    "refresh_token_expires_in": 28788,
    "scope": "email profile openid",
    "id_token": "removed"
}

Token types as explained by https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/development/ad-fs-openid-connect-oauth-concepts.

• id_token: A JWT token issued by authorization server (AD FS) and consumed by the client. Claims in the ID token will contain information about the user so that client can use that.
• access_token: A JWT token issued by authorization server (AD FS) and intended to be consumed by the resource. The 'aud' or audience claim of this token must match the identifier of the resource or Web API.
• refresh_token: Issued by AD FS for the client to use when it needs to refresh the id_token and access_token. The token is opaque to the client and can only be consumed by AD FS.

[guillaume-chervet]

Hi @hagenderouen , may you send me the complete developement token at [email protected]?

I need token content to understand what is failing. I will also try to publish a version which will give the failing step.

The tokens you get just after redirect phase which contain the nonce.

[guillaume-chervet]

Hi @hagenderouen, Nothing look strange in your tokens,

I will add some information in the next version to understand which line does produce the invalidation.

[guillaume-chervet]

I published version 6.14.8 that may help to know which line is failing. may you give me the new error message @hagenderouen ?

[hagenderouen]

@guillaume-chervet Here is the new error response with v6.14.8:

[guillaume-chervet]

hi @hagenderouen ,

sorry I did not seen you message. Your OIDC server may not support None.

I may need to add a property to disable nonce check for your case.

[guillaume-chervet]

@hagenderouen Does your server send you a nonce in the callback url query string?

[guillaume-chervet]

@hagenderouen i can see upper that yes your server send you a nonce.

Do have the possibility to clone this repository and debug with your own configuration? Nonce must have differences but i do not know why.

[hagenderouen]

@guillaume-chervet I'm getting errors when running npm install after cloning repo. I tried clearing npm cache but, this did not work.

[guillaume-chervet]

Hi @hagenderouen very sorry it is new from few hours ago. We will fix it tomorrow morning.

[richcatt]

Hi @guillaume-chervet,

Just came across this issue as I've encountered a similar error. I'm getting the same error message as above (on v6.16.9):

In my case it seems to be when using multiple tabs for the same application. I think I saw an issue yesterday where that use case was discussed but can't find it today. All the tabs seem to be using the same nonce (local storage) but the sessions are lost across all of them (except perhaps the last one to be refreshed).

Is the monitor_session option of any use here? Or perhaps there's a way to have a separate nonce per tab (e.g. store this in session storage)?

Thanks for any help!

[richcatt]

I've created a new issue following the above as I'm getting a slightly different issue now - https://github.com/AxaFrance/react-oidc/issues/1021

[hagenderouen]

@guillaume-chervet any suggestions on disabling hidden tokens or revealing them in the console?

[guillaume-chervet]

Hi @hagenderouen , sorry i did not understand. Do yoi still have token validation error? Did you manage to clone the demo and run it? The difficulties is to reproduce your case.

[hagenderouen]

Working on this. Trying to read and compare nonce values but it is hidden by the service worker. Do you have a suggestion for reading the nonce value?

[paulbenjamin3409]

I got this error when I updated the package but did not update the service worker. @hagenderouen can you make sure you have the same version of the package and service worker?

[franher]

I got this error when I updated the package but did not update the service worker. @hagenderouen, can you ensure you have the same package and service worker version?

I got the same issue, and following your comment, I have updated my previous OidcServiceWorker.js (it was with minified JS style) with the content of https://github.com/AxaFrance/oidc-client/blob/v6.26.6/packages/oidc-client/public/OidcServiceWorker.js (it is using a less minified code style). After that, it works again, and I no longer have the error about Nonce does not match.

By the way, I'm using react-oidc v6.26.0.

However, @guillaume-chervet, I have found it complicated to follow the process of getting the expected OidcServiceWorker.js file. Is there any part of the documentation talking about it? Where to get it? How to update it? Is it generated automatically during the installation of the package?

Thank you!

[guillaume-chervet]

@hagenderouen DO you still have the validation error? I have added a lot more error log detail in lastest version.

@franher last oidc version readme explain how to update files. I hope in a better way than before.

[abhilashlr7]

@guillaume-chervet I face this error on 7.3.1 too! On debugging I find that the nonce set in the localstorage is different from the one received on POST /tokens when I decode the JWT token received for idToken. Apparently, we don't use idToken and therefore the line of code that you pointed out may not be required for us. Is there a way to avoid this check through an arg?

[guillaume-chervet]

Than you @abhilashlr7 for the feedback. May you check if the nonce feom the local storage is the same than you receive when you log in? Nonce should be inside the callback query string.