logto
logto copied to clipboard
logto-io
bug: Not working with Expo
Describe the bug
I'm migrating from Keycloak to Logto. We use expo to build our apps (web & native). They have a pretty straight forward way of implementing OAuth 2 based login.
When I press login button on web, popup screen opens with login form. After successful login, the popup doesnt close, and the main screen gets the following response:
{
"type": "dismiss"
}
Upon investigating further, after login the app calls window.postMessage from the popup window, but the event listener never fires in the parent window. I think the parent window loses reference to the popup.
I have tested this with other identity providers including Keycloak and they all work fine. This seems to be a Logto related issue.
Expected behavior
The popup window should close, and the parent window should receive success along with oauth code to generate token.
How to reproduce?
I have created a demo app here: https://github.com/artalat/expo-logto
Here are the credentials to test:
Username: test
Password: PnhP8fEp
Context
- [x] Logto Cloud
- [x] Self-hosted
- [x] Container (Docker image) = svhd/logto:latest
- [ ] Raw Node.js
Hey, thanks for the report. We haven't tried it on an expo app before. Let us run some tests, will keep you posted.
@artalat Thank you for providing the demo app. I ran a test locally and identified the issue. It is because of the strict Cross-Origin-Opener-Policy set on Logto. When attempting to open Logto sign-in from a popup window, it loses track of its cross-origin parent window, resulting in the observed behavior.
It should work well on your mobile apps I assume.
@artalat
Thank you for providing the demo app. I ran a test locally and identified the issue. It is because of the strict Cross-Origin-Opener-Policy set on Logto. When attempting to open Logto sign-in from a popup window, it loses track of its cross-origin parent window, resulting in the observed behavior.
It should work well on your mobile apps I assume.
Thanks. Havnt tested on native apps yet. How would we solve this on web?
Are you using our cloud service or self-hosted version?
I need to have some further discussions with the team about whether we should provide the option to disable this policy. As it may reduce our security level.
I am not familiar with expo, does it provide an option for you to redirect to sign-in directly on the current window instead of opening a pop-up window? Technically you don't need a pop-up window for web apps.
@simeng-li I have tried both cloud and self-hosted versions. Same issue.
As for expo, I don't think they provide the functionality to do this without popup.
@artalat We have confirmed this as a valid use case and agreed on removing the COOP strict check. We will shift the changes in the coming release.
@artalat Hi, forgot to mention, feel free to test it using our latest image ghcr.io/logto-io/logto:edge. Let me know if it works for you. Thx.
I have verified the fix and can confirm it works. Thanks for the quick resolution.
How does that your release cycle work, ie when should I expect it to be released?