[Bug]: Unable to store UserInfo with codeflow and disableIdTokenValidation=true

[xxldaniel]

Version

17.0.0

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

Error: Failed to retrieve user info with error:  Error: Received no user data, request failed.

This error has been raised by the event service. The real error has not been handled correctly.

The user data can't be stored, because it makes a validation of the id_tokens.sub, which is undefined in case you have activated the `disableIdTokenValidation` in the OpenIdConfiguration.

The function validateUserDataSubIdToken() is called in the UserService. This function returns undefined. That blocks the logic to store the user data.

Steps to reproduce the behavior

- login and use special configs autoUserInfo = true and disableIdTokenValidation=true
- get error messages in your console and see that user info can't be loaded

A clear and concise description of what you expected to happen.

I expect, that user info can be loaded, no matter if I disable or enable the `disableIdTokenValidation" - Property in the OpenIdConfiguration - Class.

Additional context

Description

We run the authentication client with Angular Version 14 and Authentication Package Version 14. Enduser told us, they need to relogin after a couple of minutes. Our solution: disableIdTokenValidation = true, which worked fine for us.

We are updating our projects to Angular 17, now. So, we update the authentication package, also. I'm happy about the fact, that there are no breaking changes in the API. Thank you for that!

BUT: With the exact settings we are not able to join you software, because the user data can't be loaded. After a couple of hours and a lot of debugging, I found out, that everything works fine, when I set disableIdTokenValidation to false.

There must be a change in the previouse versions. I my oppinion it is a bug.

Context

Here are my Configurations:

import { Injectable } from "@angular/core";
import { LogLevel, OpenIdConfiguration } from "angular-auth-oidc-client";
import { ClientConfigurationProvider } from "../../application-bootstrapping/client-configuration-provider";
import { ClientConfiguration } from "../../application-configuration/client-configuration";

/**
 * Provider is loaded by the OIDC Service. I provides the suitable configs for the angular oidc client
 * See: https://angular-auth-oidc-client.com/docs/documentation/configuration#getting-static-config-from-a-service-sync to get more informations
 */
@Injectable({ providedIn: "root" })
export class AuthenticationConfigProvider {
    constructor(
        private readonly _clientConfigurationProvider: ClientConfigurationProvider
    ) { }

    public provide(): OpenIdConfiguration {

        const currentClient: ClientConfiguration = this._clientConfigurationProvider.provide();
        const configFromClientConfiguration = currentClient.identityServerConfiguration;

        const config: OpenIdConfiguration = {
            authority: configFromClientConfiguration?.identityHostUrl,
            redirectUrl: configFromClientConfiguration?.loginRedirectUrl,
            postLoginRoute: "/auto-login",
            clientId: configFromClientConfiguration?.clientId,
            responseType: "code",
            scope: configFromClientConfiguration?.scopes,
            useRefreshToken: true,
            silentRenew: true,
            logLevel: LogLevel.Debug,
            silentRenewUrl: `${configFromClientConfiguration?.clientProtocol}://${configFromClientConfiguration?.clientHost}/silent-renew.html`,
            triggerAuthorizationResultEvent: false,
            disableIatOffsetValidation: true,
            renewTimeBeforeTokenExpiresInSeconds: 100,
            disableIdTokenValidation: true
        };
        return config;
    }
}

Please let me know if you need more informations

Related Classes

Let me show you what I found out:

I am using CodeFlow.
Therefore the FlowService.processCodeFlowCallback() will be called.

In that function the this lines of code will be called:

        concatMap((callbackContext) =>
          this.stateValidationCallbackHandlerService.callbackStateValidation(
            callbackContext,
            config,
            allConfigs
          )
        ),

Here the callback will be enriched with informations.

You are landing in the StateValidationService and the function validateState()
In case you have disableIdTokenValidation = true the callback will not enrichted correctly.

Let's go to a higher view again:
FlowService.processCodeFlowCallback()

Here is this code fragment:

        concatMap((callbackContext) =>
          this.userHandlerService.callbackUser(
            callbackContext,
            config,
            allConfigs
          )
        )
      );

This is responsible to validate the user info and store it in the browser session state.

The code reaches:

• UserService.getAndPersistUserDataInStore()
• UserService.getUserDataOidcFlowAndSave()
• UserService.validateUserDataSubIdToken()

The last function can't return true, because the callback context doesn't keep the id_token.

How to fix

StateValidationService

UserService