We are using @axa-fr/react-oidc (7.26.3) with Keycloak and we're seeing an error page when hitting the back button after login :
state not found in service worker, using sessionStorage
Error: State not valid (expected: null, received: XXXXX)
Here's some details on the full flow :
- User goes to app
- App redirects to Keycloak
- User logins into Keycloak
- Keycloak redirect to callback_url with state=AAA
- react-oidc validates the state and redirects the user to the landing page, user is connected
- User press "back"
- Browser returns to the Keycloak page
- Keycloak sees the user has an active session and redirects to callback_url with a new state=BBB ⚠️ (I expect this to be the source of the issue)
- react-oidc fails to validate the state "expected: null"
- Error page is shown
This does not happen with your example because after pressing back Duende just shows the login form again;
Do you think this kind of use-case could be handled by the lib ?
Oidc config :
const oidcConfig: OidcConfiguration = {
storage: window.localStorage,
client_id: environment.oidc.clientId,
redirect_uri: window.location.origin + '/auth/callback',
silent_redirect_uri: window.location.origin + '/auth/silent-callback',
scope: 'openid profile email offline_access', // offline_access scope allow your client to retrieve the refresh_token
authority: environment.oidc.serverURL,
service_worker_relative_url: '/OidcServiceWorker.js', // just comment that line to disable service worker mode
service_worker_only: true,
demonstrating_proof_of_possession: false, // demonstrating proof of possession will work only if access_token is accessible from the client (This is because WebCrypto API is not available inside a Service Worker)
};
We are using @axa-fr/react-oidc (7.26.3) with Keycloak and we're seeing an error page when hitting the back button after login :
Here's some details on the full flow :
This does not happen with your example because after pressing back Duende just shows the login form again;
Do you think this kind of use-case could be handled by the lib ?
Oidc config :