anvilresearch / connect-js Goto Github PK

The client should handle state param as specified in OpenID Connect Core and RFC6749

The openid specs has an optional display request parameter with values page, popup, touch and wap.

It appears that independent(!?) from this there is also a choice on how to integrate this into the browser client app. Currently this library supports this by the configuration property display which has values popup or page (default). This is described in Readme.md

Note that page is implemented as a full page navigation (`window.location = ) which means that the app will be reloaded. This can be problematic for Single Page Apps.

A client should be able to display a full login page in a tab or window without having to do a reload.
This would behave similar to a popup on mobile devices. Mobile Safari does not support popups and opens a new tab instead.

One way to this would be to have the display configuration be popup, open_window ,same_windowwheresame_windowwould be the currentpage` setting.

Would this make sense?

Problem: When an access token expires, we must get a new one so the user can both remain logged in and make requests to authorized service endpoints.

Ideally:

1. The process of refreshing should be invisible to the user. If an application "requires authentication" on all routes and auto-redirects to the anvil server, it will get a new token back (via the normal auth flow). However, this is obviously not using the "refresh" token that is in place...and it causes a redirect & full page refresh.
2. Refreshing should not take place as part of a user-initiated task. Ideally the token would be "auto-refreshed" prior to its expiration to prevent subsequent requests to service endpoints the application depends on from failing. It would be relatively trivial to monitor outgoing request and refresh only when necessary. However, I feel this is less than ideal because:
   1. The next service API call would incur the cost of the refresh request in addition to the API service request itself.
   2. If multiple API calls were to take place in parallel, I believe a race condition/error would present itself at some point (one succeeds, one does not...how does failed request recover).

Any ideas on how to handle this? (my primary concern with this is in the context of an AngularJS application...but feel free to interpret outside that context as well if desired)

Will be great if lib is compatible with breaking changes in jsrsasign/jsjws
Problem is described here
anvilresearch/connect-jwt#7
Until breaking changes are implemented, dependencies can be updated to
"jsrsasign": "4.9.2"

I don't feel enough experienced in this area to do it myself...

We've experimented with a number of JavaScript crypto libraries (sjcl, crypto-js, jsrsasign, etc) in this package for various purposes. The most important case is verifying signatures. In the meantime, the WebCrypto API has been maturing and will eventually be ready to replace some or all of these dependencies.

We need to explore the potential for rewriting some of this code using WebCrypto, take stock of it's readiness for general use, and consider implementing fallbacks for older browsers that will continue to require polyfills or additional optional dependencies.

This is with IOS version 8.2 (on IPad 2nd gen).

I tried using the display popup mode from the angular example (https://github.com/anvilresearch/connect-example-angularjs, see https://github.com/henrjk/connect-example-angularjs/blob/tryit/README.md).

To enable testing from my devices I am using grunt serve of the example while changing the hostname to 0.0.0.0 here). This allows to access the page with the private IP address of my dev machine in my home network.
I configured the anvil-connect server so that callbacks and auth server also use that private IP address.

This works fine from the desktop and also on an Android Nexus 4, with Android 4.4.4 and Chrome 43.0.2357.93.

However when I touch SignIN on mentioned IPad nothing happens. The behaviour is the same in both Chrome (43.0.2357.61) and Safari (from User-Agent: Version/8.0 Mobile/12D508 Safari/600.1.4).

Earlier I had made some changes in the anvil-connect.angular.js to see how opening a new tab would work instead of reloading the URL in display page mode. As this had worked fine I suspected that the problem was the popup() function

Indeed when I comment out the || $document.documentElement.clientWidth and || $document.documentElement.clientHeight the popup works.

I have not yet actually debugged into this.

This is not directly related but I mention it as the resolution might be affected by this. I believe a display page mode which is presented in a new tab is a valid option also which makes more sense to me in a single page app then a page reload.