skipIssuerCheck flag is ignored

[Pante]

I ran into an issue where configuring the library without a discovery document causes an wrong issuer error to be thrown even though skipIssuerCheck is true.

Error validating tokens angular-oauth2-oidc.js:1183
Wrong issuer: https://login.microsoftonline.com/cba9e115-3016-4462-a1ab-a565cba0cdf1/v2.0 angular-oauth2-oidc.js:1184
ERROR Error: "Uncaught (in promise): Wrong issuer: https://login.microsoftonline.com/cba9e115-3016-4462-a1ab-a565cba0cdf1/v2.0"

export const config: AuthConfig = {
    clientId: '<redacted>',
    redirectUri: window.location.origin,
    skipIssuerCheck: true,
    scope: 'openid profile email',
    
    issuer: 'https://login.microsoftonline.com/common/v2.0',
    loginUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
    logoutUrl: 'https://login.microsoftonline.com/common/oauth2/v2.0/logout',
    tokenEndpoint: 'https://login.microsoftonline.com/common/oauth2/v2.0/token',
    userinfoEndpoint: 'https://graph.microsoft.com/oidc/userinfo',
};

@Injectable()
export class AuthenticationService {
    
    private service: OAuthService;
    
    
    constructor(service: OAuthService) {
        this.service = service;
        this.service.configure(config);
        this.service.tokenValidationHandler = new JwksValidationHandler();
    }

    
    login(): void {
        if (!this.service.hasValidAccessToken()) {
            this.service.tryLogin().then(() => {
                this.service.initImplicitFlow();
            });
        }
    }   
    
}

[jeroenheijmans]

Looking at the code, this might be intentional (if I read/understand it right). The skipIssuerCheck only does this:

angular-oauth2-oidc/projects/lib/src/oauth-service.ts

Lines 480 to 490 in 0274cf5

	protected validateDiscoveryDocument(doc: OidcDiscoveryDoc): boolean {
	let errors: string[];
	if (!this.skipIssuerCheck && doc.issuer !== this.issuer) {
	this.logger.error(
	'invalid issuer in discovery document',
	'expected: ' + this.issuer,
	'current: ' + doc.issuer
	);
	return false;
	}

The error you describe is thrown here, inside the processIdToken(...) method:

angular-oauth2-oidc/projects/lib/src/oauth-service.ts

Lines 1503 to 1506 in 0274cf5

	if (claims.iss !== this.issuer) {
	const err = 'Wrong issuer: ' + claims.iss;
	this.logger.warn(err);
	return Promise.reject(err);

Not sure if this was intentional or is a bug, but either way there seems to be no way to skip validation of the issuer mentioned in the processIdToken(...) method.

If you'd want that, the only things to do seem to be:

• change the behavior and check the flag in the second case too
• add a new flag for the second instance

Not sure from the top of my head if it makes sense to have the check only in one case, someone else might chip in on that.

[Pante]

In my opinion, I think that either the flag should be checked in the second case too or this quirk be documented. Regardless, I decided to substitute common with the tenantId as a workaround but quickly ran into a CORS issue with Microsoft's jwks endpoint and ended up disabling oidc altogether.

[LeonardoZV]

Yeah, in my opinion the validation inside processIdToken is wrong. In my case the issuer returned by /.well-known/openid-configuration changes deppeding on the server that receives the request and i cannot change it (corporative nonsense). So skipIssuerCheck is important and the fix inside the processIdToken is needed.

[ismcagdas]

@jeroenheijmans are you going to implement this ? Thanks.

[jeroenheijmans]

@ismcagdas Nope, wasn't planning on writing a PR for this. All yours if you feel like it!

[ismcagdas]

Done, #527

[stormdevteam]

Whats the status of PR #527?