angular - OidcClient.readSigninResponseState : No matching state found in storage - oidc-client-js (Angular)

Question

我正在使用 oidc-client library用于在我的 Angular(9) 应用程序中与 Azure AD 集成。 signinRedirect() & signinSilent()功能按预期工作。但是对于 signinPopup() , 它在浏览器 url 片段中成功获取了访问 token ，但它引发了下面提到的错误 :

app.component.ts:83 Error: No matching state found in storage at oidc-client.min.js:1

令人惊讶的是，在 signin-callback.html 中，当我将 response_type 作为查询传递时 var userManager = new Oidc.UserManager({response_mode: "query"}); , 登录弹出成功但登录重定向失败提示

Error: No state in response

我已关注此 article最初。

这是我的 服务代码:

import { Injectable } from '@angular/core';
import { UserManager, UserManagerSettings, User } from 'oidc-client';

import { environment } from 'src/environments/environment';

@Injectable({
  providedIn: 'root'
})
export class AuthService {
  private userManager: UserManager;

  constructor() {
    this.instantiate();
  }

  private instantiate() {
   this.userManager = new UserManager(this.getOidcSettings());
  }

  public async signinRedirect(): Promise<any> {
    return this.userManager.signinRedirect();
  }

  public async signinSilent(): Promise<User> {
    return this.userManager.signinSilent();
  }

  public async signinPopup(): Promise<User> {
    return this.userManager.signinPopup();
  }

  public async signoutRedirect(): Promise<any> {
    this.userManager.signoutRedirect();
    this.userManager.clearStaleState();
  }

OIDC 设置:

const userManagerSettings: UserManagerSettings = {
      client_id: 'my clientid',
      authority: 'my authority',

      redirect_uri: 'http://localhost:4200/assets/oidc/signin-callback.html',
      silent_redirect_uri: 'http://localhost:4200/assets/oidc/silent-refresh-callback.html',
      post_logout_redirect_uri: 'https://localhost:4200/',

      response_type: 'token',
      response_mode: 'fragment',
      scope: 'my api scope',

      loadUserInfo:false
    };

signin-callback.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/oidc-client/1.10.1/oidc-client.min.js"></script>
    <script>
      var userManager = new Oidc.UserManager();

      userManager.signinRedirectCallback().then(
        (user) => {
          alert('signin redirect successful.');
          window.history.replaceState(
            {},
            window.document.title,
            window.location.origin
          );
          window.location = '/';
        },
        (err) => {
          alert('Error caught in signinRedirectCallback()');
          console.log('Error caught in signinRedirectCallback().');
          console.error(err);
        }
      );

      userManager.signinPopupCallback().then(
        (user) => {
          alert('signin pop up successful.');
          window.history.replaceState(
            {},
            window.document.title,
            window.location.origin
          );
          window.location = '/';
        },
        (err) => {
          alert('Error caught in signinPopupCallback()');
          console.log('Error caught in signinPopupCallback().');
          console.error(err);
        }
      );
    </script>
  </head>
  <body></body>
</html>

静音刷新回调.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/oidc-client/1.10.1/oidc-client.min.js"></script>
    <script>
      var userManager = new Oidc.UserManager();
      userManager.signinSilentCallback().catch((err) => {
        console.log('Error caught in signinSilentCallback().');
        console.error(err);
      });
    </script>
  </head>
  <body></body>
</html>

Answer 1

我们遇到了一个类似的问题，即部分用户间歇性地出现此错误。到目前为止，我们已经了解到发生这种情况的两个具体原因:

一些系统时钟设置与当前实际时间相差5分钟以上的用户(在oidc-client-js中clockSkew默认为5分钟)

一些用户正在共享和重新使用唯一生成的登录 URL，以及 Identity Server 生成的安全参数。可以使用身份服务器登录，但是像 nonce 这样的安全变量不匹配(最终在 oidc-signin 回调中抛出“在存储中找不到匹配状态”错误)