bjerkio
Multiple round-trips to IDP when session_state is included in response
When using Keycloak, the session_state is included in the response by default. That appears to cause oidc-react (or oidc-react-js?) to make multiple authentication requests in the background under Firefox at least. Keycloak has an option under OpenID Connect Compatibility Modes to Exclude Session State From Authentication Response. If I set that to "On", then it works as expected.
I've prepared a reproducer using the sample app and a keycloak docker image with a realm already set up. The repos are here:
Dockerfile: https://github.com/jeblair/keycloak-sample Sample app: https://github.com/jeblair/example-oidc-react
Here's how to run the reproducer:
- add
127.0.0.1 keycloakto /etc/hosts - docker run -p8082:8082 jeblair/keycloak-sample
- git clone https://github.com/jeblair/example-oidc-react
- cd example-oidc-react
- yarn start
You can log in to the app with user admin password admin.
You can log into the keycloak admin console at http://keycloak/ with user admin password kcadmin.
The login will work, but you should see multiple requests to keycloak after logging in. It's also easy to see by looking at network traffic in devtools.
The sample app/reproducer breaks reliably for me in Firefox, but not Chromium. However, in the actual application I'm working on, I also see the behavior in Chromium (perhaps a race condition with the session state and storage is involved).
Thanks for posting this, and with awesome detail too!
Unfortunately, I'm busy with a few launches at the moment (which is also the reason it has taken so much time to answer you). I have this on my list, and hope to get to it very soon!
Thank you for your patience, and feel free to do research/debugging and open pull requests!
Did you have any chance to look at this? I think i'm running into a similar issue
Edit: Sorry i found out that my issue was something different #763 although maybe related?
