disableAtHashCheck seems not working anymore in v5.0.2

[joel-kr]

Hello Guys,

In v4.0.3 the parameter disableAtHashCheck: true is working fine.
we are using cloudfroundy which does not add the at_hash property to the claims uaa.

After updating the Lib. to v5.0.2 i got this error:

And here the failing check.

Here are my project configs:
package.json:

    "@angular/animations": "^6.1.0",
    "@angular/common": "^6.1.0",
    "@angular/compiler": "^6.1.0",
    "@angular/core": "^6.1.0",
    "@angular/forms": "^6.1.0",
    "@angular/http": "^6.1.0",
    "@angular/platform-browser": "^6.1.0",
    "@angular/platform-browser-dynamic": "^6.1.0",
    "@angular/router": "^6.1.0",
    "angular-oauth2-oidc": "5.0.2",
    "core-js": "^2.5.4",
    "rxjs": "~6.2.0",
    "rxjs-compat": "^6.3.2",
    "zone.js": "~0.8.26"
  },

my auth.component:

import { Component, OnInit } from '@angular/core';
import { OAuthService } from 'angular-oauth2-oidc';
import { JwksValidationHandler } from 'angular-oauth2-oidc';
import { authConfig } from './auth.config';

@Component({
  selector: 'app-auth',
  templateUrl: './auth.component.html',
  styleUrls: ['./auth.component.css']
})
export class AuthComponent implements OnInit{

  constructor(private oauthService: OAuthService) {
    this.configureWithNewConfigApi();
  }

  ngOnInit() {
  }

  private configureWithNewConfigApi() {
    this.oauthService.configure(authConfig);
    this.oauthService.tokenValidationHandler = new JwksValidationHandler();
    this.oauthService.loadDiscoveryDocumentAndTryLogin();
  }

  public login() {
    this.oauthService.initImplicitFlow();
  }

}

and my AuthConfig:

import { AuthConfig } from 'angular-oauth2-oidc';

export const authConfig: AuthConfig = {
 
  // Url of the Identity Provider
  issuer: 'https://xxxxxxxxxx',
  redirectUri: 'https://xxxxxxxxxx/auth/',
  clientId: 'xxxxxxxxxx',
 
  // set the scope for the permissions the client should request
  // The first three are defined by OIDC. The 4th is a usecase-specific one
  scope: 'openid',

  strictDiscoveryDocumentValidation: false,
  userinfoEndpoint: 'https://xxxxxxxxxx/userinfo',

  // the corproot oauth server doen't return the 'at_hash' property
  // inside the claims.
  disableAtHashCheck: true,

  // nonceStateSeparator: ',',

  // clearHashAfterLogin: false,
}

it would be really nice if this feature would be available in v5. :-)
many thanks and regards

[toedter]

+1. That was our main reason for not updating to 5.0.x. This issue is known at UAA (see cloudfoundry/uaa#880). A temporary hack for 5.0.2 would be

class MyJwksValidationHandler extends JwksValidationHandler {
  async validateAtHash(params: ValidationParams): Promise<boolean> {
    return true;
  }
}
...
this.oauthService.tokenValidationHandler = new MyJwksValidationHandler();

[louismagandlm]

I've been using Implicit Flow and with your last update @manfredsteyer , I wanted to switch on the more secure Authorization Code Flow and I met this error... Cannot go further.

Even the work around from dec 2018 don't work.

[jeroenheijmans]

I think with the passing of time, merging of related PRs, and releases of newer versions this may be working as intended again? Going to presume this works in v9+ again, please:

• if it doesn't work as expected in v9+ open a fresh bug report issue with a minimal repro
• if it doesn't work in older versions, consider either updating your app, or forking the library and backporting the fix yourself (I don't think there's bandwidth on the project here to do that)