Angular - oidc-client sends an /authorize request for each REST API call
I am currently setting up an identity server with a SPA client and a few REST services to consume data from.
Everything seems to work but I currently struggle to understand, why every API call with a valid access_token triggers a request to the /authorize endpoint of the identity server.
Button on the login page
This button simply calls my REST API via an instance of the HttpClient from @angular/common/http
Those buttons are on my /login page.
The callback from the identity server is set up to go to /login/callback.
Request to the /authorize endpoint
Each click on the button sends a request to the /authorize endpoint and as a result redirects me with a http 302 to the /login/callback page.
The request stills goes through and everything work but there is always this redirect which is happening.
I would have expected that in case of a valid access_token, this request wouldn't be necessary?
AccessToken Interceptor
Within the AccessTokenInterceptor I do call my OidcService which has access to the UserManager from the oidc-client library.
For some reason every request which involves getUser() on the UserManager triggers this /authorize request in response - even though the access_token is still valid. What am I missing here?
@Injectable()
export class AccessTokenInterceptor implements HttpInterceptor {
constructor(private oidcService: OidcService) { }
intercept(request: HttpRequest<any>, next: HttpHandler):
Observable<HttpEvent<any>> {
return this.oidcService.getUser()
.mergeMap((user: User) => {
if (user) {
request = request.clone({
setHeaders: {
Authorization: `Bearer ${user.access_token}`
}
});
}
return next.handle(request);
});
}
}
I appreciate any help in that matter and please let me know in case you need some more code samples.
Update 1
Once I call the "Call Api" button, the following three request are made.
OPTIONSrequest to my REST API./authorizerequest (which ends up returning a http302and does the redirect which I would like to avoid)GETrequest to which is what I intended to do.
Update 2
Web Application - UserManagerSettings
{
"authority": "https://localhost:44327",
"client_id": "webClient",
"response_type": "id_token token",
"scope": "openid testclientapi testclientapi.read testclientapi.write",
"redirect_uri": "http://localhost:4200/login/callback",
"post_logout_redirect_uri": "http://localhost:4200/logout/callback",
"silent_redirect_uri": "http://localhost:4200/login/silentLogin",
"automaticSilentRenew": true,
"monitorSession": true,
"revokeAccessTokenOnSignout": true,
"loadUserInfo": true
}
Identity Server - Client Configuration
new Client {
ClientId = "webClient",
ClientName = "myclient",
AllowedGrantTypes = GrantTypes.Implicit,
AccessTokenType = AccessTokenType.Reference,
AccessTokenLifetime = 60 * 60,
IdentityTokenLifetime = 30,
RequireConsent = false,
AllowOfflineAccess = true,
AllowAccessTokensViaBrowser = true,
ClientSecrets =
{
new Secret("XYZ)
},
AllowedCorsOrigins = new string[]
{
"http://localhost:4200",
},
RedirectUris =
{
"http://localhost:4200/login/callback",
"http://localhost:4200/login/silentLogin",
"http://localhost:4200/logout/callback",
},
PostLogoutRedirectUris =
{
"http://localhost:4200/logout/callback",
},
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
"testclientapi",
"testclientapi.read",
"testclientapi.write"
}
}
};
Update 3
getUser() : Observable<User> {
return Observable.fromPromise(this.userManager.getUser())
}
I found a temporary workaround for the issue.
It works like magic, once I didn't trigger the REST API request from my /login route but instead from an other location e.g /admin.
Which ends up not sending any requests to the /authorize endpoint.
I will update this answer once I figured out why exactly this is happening.
Update 1
I've run now into simular issues when doing /logout requests - also had to moved it to a complete other route ...