[Bug]: silent renew failed! Error: Error: authorizedCallback, token(s) validation failed, resetting. Hash

[mf-andres]

Version

17.0.0

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

I'm getting the following error: 

authentication.service.ts:42 [ERROR] 0-ace_fe - silent renew failed! Error: Error: authorizedCallback, token(s) validation failed, resetting. Hash: at angular-auth-oidc-client.mjs:3657:37 at Observable.init [as _subscribe] (throwError.js:5:51) at Observable._trySubscribe (Observable.js:37:25) at Observable.js:31:30 at errorContext (errorContext.js:19:9) at Observable.subscribe (Observable.js:22:21) at catchError.js:14:31 at OperatorSubscriber._error (OperatorSubscriber.js:23:21) at OperatorSubscriber.error (Subscriber.js:40:18) at OperatorSubscriber._error (Subscriber.js:64:30) 

Steps to reproduce the behavior

Angular 17.
"angular-auth-oidc-client": "17.0.0"

Service configuration is set in app.module.ts:

AuthModule.forRoot({ 

config: { 

authority: environment.authenticationConfig.authority, 

redirectUrl: environment.authenticationConfig.redirectUrl, // goes to /redirect 

postLoginRoute: "/home", 

postLogoutRedirectUri: environment.authenticationConfig.postLogoutRedirectUrl,  // goes to /front-page

unauthorizedRoute: environment.authenticationConfig.unauthorizedRoute, // goes to /unauthorized

clientId: "fe", 

ignoreNonceAfterRefresh: false, // if set to true, refresh works but nonce is not validated

scope: "openid profile offline_access", 

responseType: "code", 

silentRenew: true, 

useRefreshToken: true, 

secureRoutes: environment.authenticationConfig.secureRoutes, 

logLevel: LogLevel.Debug, 

Authority is a Keycloak container version 23.0.4
FE client configuration:

Client authentication off
Authentication flow: standard flow

A clear and concise description of what you expected to happen.

After configuring the authentication service to run an authentication code flow with pkce and silent renew based on refresh tokens, I expected the refreshed tokens nonce validation to be successfull. However the nonce validation raised an error due to the local stage being unconsistent.

Additional context

Authenticate request body:

client_id: fe 

redirect_uri: http://localhost:4200/redirect

response_type: code 

scope: openid profile offline_access 

nonce: 073d4fc4245855ebcc11fb1aaf2bf6ec8fvf3PHd6 

state: ac41b608d9eb7b6a12f92803596728ebdfQu9Jnek 

code_challenge: m-67CbyWPkVs0NtMOEFXsDiO8MpkF1klNEaiU4QCTKY 

code_challenge_method: S256 

Information stored in local storage after redirection by keycloak:

access_token_expires_at: 1716886568000 

authNonce: null 

authStateControl: "" 

authWellKnownEndPoints: {issuer: "http://localhost:8080/realms/myapp",…} 

authnResult: {,…} 

authzData: "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI3eVJHRVRBVXctdTNCWnVFTDF1WW5jWkR3eURwXzlYTnJ6djctMUFGVV8wIn0.eyJleHAiOjE3MTY4ODY1NjgsImlhdCI6MTcxNjg4NjI2OCwiYXV0aF90aW1lIjoxNzE2ODg2MjY3LCJqdGkiOiJjMjkxZjVjNS1hMTkwLTQ0ODEtODZmMS0wMGEwZmJlYjY0YzYiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvcmVhbG1zL2FjZSIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiIwMWE1NjIwYy1iNzFhLTRiYjQtYmI2MC01ZjAzMDM2NzI0MDUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhY2VfZmUiLCJub25jZSI6IjA3M2Q0ZmM0MjQ1ODU1ZWJjYzExZmIxYWFmMmJmNmVjOGZ2ZjNQSGQ2Iiwic2Vzc2lvbl9zdGF0ZSI6ImU1YTA2Y2EwLTRmMmMtNDE4ZC04ZDQzLTg1ZWQyOTg2MGJlZiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDo0MjAwIl0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJwcmltYXJ5X2NhcmUiLCJkZWZhdWx0LXJvbGVzLXRlc3QiLCJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBvZmZsaW5lX2FjY2VzcyBlbWFpbCIsInNpZCI6ImU1YTA2Y2EwLTRmMmMtNDE4ZC04ZDQzLTg1ZWQyOTg2MGJlZiIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwicHJlZmVycmVkX3VzZXJuYW1lIjoicGNhcmUifQ.ENZr-_NqvE9tQVTqWIZt4dDSzvcd00ZbdFKlEMSqi2SAnkhaLhioFvzpUefp6BZIAIPuiAk6P7yiPPmlUjFDtEzC4x0jz6201J9n1g1X645dS7MkX6ePRY3dhe56urXefBds3FyU7x6rhOLK1r6LJALoJL3NOLtXvMoTSyQo49ZcQd2DDFTGWhZ7Ktj8Fgp5UWTOCn7H0EFJV4m3MU_EUKJz6uKejBeLeudLZWTnhZ4tqPVwi15jd4CvZ_xrlXJHkhfsyU6UKlvOKf8Tb0htZQyXttGu-VxTWL8sPPexR6upsvOQMw_XAnXjiRb0EEL5N1GLxJbRidu-O7_ceUPq3w" 

codeVerifier: "581a94aa63e6c12d6fff5cd17e1c4c8208a434d8c75f496f2477c787c317Y2VZ5iU" 

jwtKeys: {,…} 

session_state: "e5a06ca0-4f2c-418d-8d43-85ed29860bef" 

storageCodeFlowInProgress: false 

storageSilentRenewRunning: "" 

We can see that the authNonce variable is null. I think this is causing the error. Maybe thie original nonce is being overwritten by some of the calls to the setNonce function, for example the one in the src/lib/flows/callback-handling/history-jwt-keys-callback-handler.service.ts file, or the one in the src/lib/iframe/silent-renew.service.ts which could mean that maybe something related to the keys or to the params of the renew callback are wrong?

I am also getting, this log (not really an error?) which I think is the cause of the token validation error:

Validate_id_token_nonce failed, dataIdToken.nonce: 073d4fc4245855ebcc11fb1aaf2bf6ec8fvf3PHd6 local_nonce:--RefreshToken-- 

It is getting the nonce from the token buth the stored nonce is a placeholder.
This placeholder is used in the file src/lib/flows/callback-handling/refresh-session-callback-handler.service.ts to set the authNonce state to the placeholder if there is refresh token in the state service?

angular-auth-oidc-client/projects/angular-auth-oidc-client/src/lib/flows/callback-handling/refresh-session-callback-handler.service.ts

// Nonce is not used with refresh tokens; but Key cloak may send it anyway 

this.flowsDataService.setNonce( 

TokenValidationService.refreshTokenNoncePlaceholder, 

config 

); 

Indeed my Keycloak instance sends the nonce in every token of the response to the refresh token request.

The localNonce may be later check in the oidc-client/src/lib/validation/token-validation.service.ts file where the failed check log message that troubles me is raised:

if (!isFromRefreshToken && dataIdToken.nonce !== localNonce) { 

this.loggerService.logDebug( 

configuration, 

'Validate_id_token_nonce failed, dataIdToken.nonce: ' + 

dataIdToken.nonce + 

' local_nonce:' + 

localNonce 

); 

 

return false; 

} 

¿Maybe is this check that is causing the token validation to fail?

This are the other warnings and errors that I get from the console:

authentication.service.ts:42 [WARN] 0-ace_fe - authCallback incorrect nonce, did you call the checkAuth() method multiple times? 

angular-auth-oidc-client.mjs:70 [DEBUG] 0-ace_fe - authCallback token(s) invalid 

authentication.service.ts:42 [WARN] 0-ace_fe - authorizedCallback, token(s) validation failed, resetting. Hash:  

angular-auth-oidc-client.mjs:70 [DEBUG] 0-ace_fe - Local Login information cleaned up and event fired 

angular-auth-oidc-client.mjs:70 [DEBUG] 0-ace_fe - Local Login information cleaned up and event fired 

 

authentication.service.ts:42 [ERROR] 0-ace_fe - silent renew failed! Error: Error: authorizedCallback, token(s) validation failed, resetting. Hash: at angular-auth-oidc-client.mjs:3657:37 at Observable.init [as _subscribe] (throwError.js:5:51) at Observable._trySubscribe (Observable.js:37:25) at Observable.js:31:30 at errorContext (errorContext.js:19:9) at Observable.subscribe (Observable.js:22:21) at catchError.js:14:31 at OperatorSubscriber._error (OperatorSubscriber.js:23:21) at OperatorSubscriber.error (Subscriber.js:40:18) at OperatorSubscriber._error (Subscriber.js:64:30) 

Another important thing is that the checkAuth() in my code is only called on the ngInit function of the Redirect component that is instantiated when accessing the /redirect unprotected (by any guard) route.