Edge issue: Validating access_token failed, wrong state/nonce

[mores]

I am running keycloak with 2 users - 1 local to keycloak and 1 from microsoft azure.

In Chrome - everything is working as expected for both users.

In Edge - local keycloak user is able to login and logout fine.

• microsoft azure - first attempt to login gets invalid_nonce_in_state
  hit the login button a second time, and user is in. Reproduceable everytime.

I have seen similar issues, but no fix yet: manfredsteyer/angular-oauth2-oidc#218

[jeroenheijmans]

You've logged this issue in my sample repo, not the library's repo: was that intentional? If it was: would you have a suggestion (or even a PR) on how to update my sample so it no longer has this problem?

You mention:

Reproduceable everytime

That's something we all love to hear! 😄 Could you please share how we can also reliably reproduce the issue? So I think that includes:

• what changes to make to my sample repository (what config, etc)
• either a minimal repro (steps) for setting up Keycloak, or a public-facing Keycloak with sample users

We'd need that to be able to look into it...

PS. You mention 218 from the library's issues list, but that doesn't seem entirely related? There most users (incl myself) mention it is not reliably reproducible, and happens in all browsers. (Also, that issue is closed, and mentions workarounds that are incorporated already in my sample...)

[mores]

Yes, that was my intention. No, I do not have a suggestion or PR on how to fix it.
I am just getting started with angular and can not provide much more info/insight as to the problem.

The only change I made to src/app/core/auth-config.ts was to point issuer to my keycloak.

The docs for keycloak are pretty straight forward: https://www.keycloak.org/docs/3.3/server_admin/topics/identity-broker/social/microsoft.html

I will work on setting up a public facing keycloak.

[mores]

I am testing out my public keycloak, but it does not look like angular-oauth2-oidc likes the use of a self-signed certificate. Is there a way to allow it for testing or will I have to buy a cert to test and debug this ?

[jeroenheijmans]

AFAIK the library itself does nothing special around certs, that will be all browser behavior. I'm also not sure if I'm qualified to support with that (though "buying" a cert seems unnecessary to me? both adding your own root cert for a moment, or using LetsEncrypt seem like options there? or trying to disable https in the library?).

[mores]

My public keycloak is available. I used LetsEncrypt to generate the certificate. I emailed you the username and password.

[jeroenheijmans]

Thanks @mores. I will have a look at it, but it might be a short bit before I have time.

[jeroenheijmans]

I've spent some time looking into this, but have not been able to easily reproduce this. Some observations that might help you dig deeper:

• In Edge, I don't get the issue you describe. If I "login" it just directly shows me the keycloak login page, and redirects me back afterwards
• In Edge, I do get console errors about other stuff, same as with Chrome
• In Chrome, same thing, with some CORS problems for userinfo, a user_profile_load error, and a 403 error on login-status-iframe.html

Either way, I'm afraid that I can't help much any further without putting in significant amounts of time. I'll have to ask you instead to dive deeper into things yourself, possibly debug the oauth library.

My gut feeling also tells me that the issue you're having isn't really specific to my example (you suggest as much in your OP, linking to issues on the library's GitHub repo).

Afraid I can't help you much more, so I suggest creating a "steps to reproduce" setup, and opening up an issue on the oauth library repository.

Sorry I couldn't be of more assistance.