Cannot restore session because of invalid redirect url #2103
Description
Search terms you've used
InvalidRedirectUri, redirect url, iss
Impacted package
Which packages do you think might be impacted by the bug ?
- solid-client-authn-browser
- solid-client-authn-node
- solid-client-authn-core
- oidc-client-ext
- Other (please specify): ...
Bug description
When trying to use the restorePreviousSession feature, it fails with an InvalidRedirectUri error, because it tries to redirect to http://localhost:3001/?iss=http%3A%2F%2Flocalhost%3A3000%2F instead of http://localhost:3001/. I've encountered this issue with CSS v4.0 and v3.0 using the podbrowser or the demoClientApp example.
At the end of the session restore attempt it ends at following URL: http://localhost:3000/.oidc/auth?client_id=SkTaQc0wSHmF3KCWhi8Z6&redirect_uri=http%3A%2F%2Flocalhost%3A3001%2F%3Fiss%3Dhttp%253A%252F%252Flocalhost%253A3000%252F&response_type=code&scope=openid%20offline_access%20webid&state=459c8142d71d45aaaf9e373a2aa41129&code_challenge=4scIzERWRIsHezdViVzZVAwxjyvAY8gZkXgPQSYfvzI&code_challenge_method=S256&prompt=none&response_mode=query
The query params in a more legible version:
{
"client_id": "SkTaQc0wSHmF3KCWhi8Z6",
"redirect_uri": "http://localhost:3001/?iss=http%3A%2F%2Flocalhost%3A3000%2F",
"response_type": "code",
"scope": "openid offline_access webid",
"state": "459c8142d71d45aaaf9e373a2aa41129",
"code_challenge": "4scIzERWRIsHezdViVzZVAwxjyvAY8gZkXgPQSYfvzI",
"code_challenge_method": "S256",
"prompt": "none",
"response_mode": "query"
}To Reproduce
Using cypress test
I've created a fork where I added a cypress test for this: https://github.com/Otto-AA/solid-client-authn-js/tree/reproduce-restore-session
Here is the log of the cypress run: https://github.com/Otto-AA/solid-client-authn-js/runs/6160231424?check_suite_focus=true
If you want to run the test yourself, you'll need to npm install. Then start the application with npm run dev and the CSS with npm run css:start. And finally run the test with either npm run cypress:open (interactive) or npm run test (non-interactive).
Here is a video of such a test run:
session_restore_spec.js.mp4
manually
- Install and start CSS v4.0
- Create an account at http://localhost:3000/
- Install and start the demoClientApp
- Login using the account at http://localhost:3000
- Accept everything and wait until redirected to the demoClientApp
- Refresh the page to trigger the session restore
Expected result
I would have expected, that the session restore works and returns to the demo client app.
Actual result
CSS throws an error on the refresh:
InvalidRedirectUri: invalid_redirect_uri - redirect_uri did not match any of the client's registered redirect_uris
at checkRedirectUri (/home/oaie/coding/solid/solid-client-authn-js/packages/browser/examples/demoClientApp/node_modules/oidc-provider/lib/actions/authorization/check_redirect_uri.js:10:11)
at dispatch (/home/oaie/coding/solid/solid-client-authn-js/packages/browser/examples/demoClientApp/node_modules/koa-compose/index.js:42:32)
at checkOpenIdScope (/home/oaie/coding/solid/solid-client-authn-js/packages/browser/examples/demoClientApp/node_modules/oidc-provider/lib/actions/authorization/check_openid_scope.js:28:12)
at dispatch (/home/oaie/coding/solid/solid-client-authn-js/packages/browser/examples/demoClientApp/node_modules/koa-compose/index.js:42:32)
at checkScope (/home/oaie/coding/solid/solid-client-authn-js/packages/browser/examples/demoClientApp/node_modules/oidc-provider/lib/actions/authorization/check_scope.js:54:10)
at dispatch (/home/oaie/coding/solid/solid-client-authn-js/packages/browser/examples/demoClientApp/node_modules/koa-compose/index.js:42:32)
at checkResource (/home/oaie/coding/solid/solid-client-authn-js/packages/browser/examples/demoClientApp/node_modules/oidc-provider/lib/shared/check_resource.js:77:10)
at runMicrotasks (<anonymous>)
at processTicksAndRejections (node:internal/process/task_queues:96:5)
at async parseBodyIfPost (/home/oaie/coding/solid/solid-client-authn-js/packages/browser/examples/demoClientApp/node_modules/oidc-provider/lib/shared/conditional_body.js:7:5)
Environment
$ npx envinfo --system --npmPackages --binaries --npmGlobalPackages --browsers
System:
OS: Linux 5.13 Ubuntu 21.10 21.10 (Impish Indri)
CPU: (12) x64 AMD Ryzen 5 5500U with Radeon Graphics
Memory: 9.00 GB / 13.52 GB
Container: Yes
Shell: 5.1.8 - /bin/bash
Binaries:
Node: 16.14.2 - /usr/bin/node
npm: 8.5.0 - /usr/bin/npm
Browsers:
Chromium: 100.0.4896.127
Firefox: 99.0.1
npmPackages:
@babel/core: ^7.16.7 => 7.16.7
@babel/preset-env: ^7.16.8 => 7.16.8
@babel/preset-react: ^7.16.7 => 7.16.7
@solid/community-server: ^4.0.0 => 4.0.0
babel-loader: ^8.2.3 => 8.2.3
cypress: ^9.5.4 => 9.5.4
html-loader: ^3.1.0 => 3.1.0
html-webpack-plugin: ^5.5.0 => 5.5.0
react: ^17.0.2 => 17.0.2
react-dom: ^17.0.2 => 17.0.2
regenerator-runtime: ^0.13.9 => 0.13.9
source-map-loader: ^3.0.1 => 3.0.1
uuid: ^8.3.2 => 8.3.2
wait-on: ^6.0.1 => 6.0.1
webpack: ^5.66.0 => 5.66.0
webpack-cli: ^4.9.1 => 4.9.1
webpack-dev-server: ^4.7.3 => 4.7.3
npmGlobalPackages:
@angular/cli: 13.3.0
firefox-profile: 4.2.2
q: 1.5.1
serve: 13.0.2
truffle: 5.5.6
Additional information
I've initially opened an issue at CSS (CommunitySolidServer/CommunitySolidServer#1276), where some background about the specification was explained by @joachimvh