spartacus icon indicating copy to clipboard operation
spartacus copied to clipboard
verified publisher icon SAP

Race condition in OpenID code flow causes redirect loop or double redirect on login

Open nolotz opened this issue 2 years ago • 1 comments

Hello,

Describe the bug I've noticed a bug related to the OpenID code flow process when used with a completely protected site, specifically on a base site protected by requiresAuthentication. The issue seems to be a race condition between the execution of AuthService.checkOAuthParamsInUrl() and the LoginGuard which can result in repeated and excessive redirects.

The symptoms of the bug vary depending on the browser used. In Firefox, the user is caught in a continuous redirect loop, while in Chrome, two redirects are necessary for the login to complete.

AuthService.checkOAuthParamsInUrl() may not have completed its execution, but LoginGuard still redirects to the login route to start the authentication process. This premature redirection seems to be the root cause of the race condition.

Tell us the version of Spartacus

  • Library version: develop-6.2.x

To Reproduce Steps to reproduce the behavior:

  • Set up a completely protected site with requiresAuthentication.
  • Implement oAuth2 with code flow on this site.
  • Attempt to login with Firefox or Chrome.
  • Notice that in Firefox, the user is caught in a continuous redirect loop. In Chrome, two redirects are needed to complete the login.

Expected behavior On initiating the login process, the system should redirect the user to the login route only once. After successful callback from IDP, the user should be directed to their intended destination without additional unnecessary redirects back to /login.

Desktop (please complete the following information):

  • OS: osx
  • FF 114.0.1
  • Chrome 113.0.5672.92

Additional context To fix this, I guarded AuthService.checkOAuthParamsInUrl() with a BehaviorSubject, similar to how AuthService.logoutInProgress$ is implemented. In the LoginGuard, I then made sure to wait for AuthService.checkOAuthParamsInUrl() to complete before calling AuthService.isUserLoggedIn(). This approach resolved the issue in my case.

I'd be happy to provide more information or a PR if needed.

Thanks

nolotz avatar Jun 18 '23 00:06 nolotz

+1

I have the same behaviour in 6.8.x.

I was able to reproduce it in:

  • Chrome 122.0.6261.112
  • Firefox 123.0.1
  • Safari 17.4

A quick and dirty fix is to add a delay(1000) to LoginGuard.canActivate(). Also tried @nolotz solution, but couldn't get it to work correctly.

@nolotz could you provide your changes to AuthService.checkOAuthParamsInUrl() here and open a PR? Would really appreciate it!

andifined-de avatar Mar 15 '24 09:03 andifined-de