okta-oidc-js icon indicating copy to clipboard operation
okta-oidc-js copied to clipboard

Published 20 hours ago verified publisher icon okta

Support all `tokenManager` configuration options in `configUtil.buildConfigObject()`

Open bryan-turley opened this issue 5 years ago • 1 comments

I'm submitting this issue for the package(s):

  • [ ] jwt-verifier
  • [ ] okta-angular
  • [ ] oidc-middleware
  • [x] okta-react
  • [ ] okta-react-native
  • [ ] okta-vue
  • [x] configuration-validation

I'm submitting a:

  • [x] Bug report
  • [ ] Feature request
  • [ ] Other (Describe below)

Current behavior

The buildConfigObject function returns an configuration object that does not fully support the available options for tokenManager. Currently, it returns an object in the form:

{
    clientId: config.clientId || config.client_id,
    issuer: config.issuer,
    redirectUri: config.redirectUri || config.redirect_uri,
    tokenManager: {
      storage: config.storage,
      autoRenew: config.autoRenew || config.auto_renew
    }
};

This configuration object lacks the secure option for tokenManager property. As a result, there's no way to specify a secure session cookie when using the React Security component.

Expected behavior

The desired behavior is to support all to documented options for cookie storage, e.g.:

{
    clientId: config.clientId || config.client_id,
    issuer: config.issuer,
    redirectUri: config.redirectUri || config.redirect_uri,
    tokenManager: {
      storage: config.storage,
      autoRenew: config.autoRenew || config.auto_renew,
      secure: config.secure // add this line
    }
};

Minimal reproduction of the problem with instructions

Any implementation using the okta-react Security component will exhibit this issue.

Extra information about the use case/user story you are trying to implement

I have a React app using the Security component to broker user authentication:

<Security
    issuer={'https://xxxxxxxxxxx.okta.com'}
    client_id={'xxxxxxxxxxxxxxxx'}
    redirect_uri={'https://xxx.xxxx.xxxx'}
    tokenManager={{secure: true}}
    onAuthRequired={this.onAuthRequired}>
    // ...
</Security>

The secure property is ignored, so as a result there's no way to create secure session cookies.

Environment

  • Package Version: okta-auth-js (2.5.0); okta-react (1.2.0)
  • Browser: all
  • OS: n/a
  • Node version (node -v): n/a
  • Other:

bryan-turley avatar Jun 27 '19 22:06 bryan-turley

@bryanatlion I know it has been sometime (almost 1 year) since you filed this issue. It looks like the documentation in the README is out of date. (Internal ref: OKTA-326252)

I think the problem may be solved by putting secure in the cookies section of the config (rather than tokenManager)

{
    clientId: "",
    issuer: "",
    redirectUri: "",
    tokenManager: {
      storage: "",
      autoRenew: true | false,
    },
    cookies: {
      secure: true | false
    }
};

aarongranick-okta avatar Aug 28 '20 22:08 aarongranick-okta