[oauth] using a custom provider not working on IE 11

victor · June 7, 2017, 7:40pm

Hello everyone,
We want to integrate a custom provider using OpenId (based on oauth2, with the redirect type).
We created an internal package for this and it works very well on Chrome. We used this package as a base for our flow : https://github.com/Aur0r/accounts-learninglayers

The flow is the following :

Click oauth button
Get redirected to Identity Provider (IDP) on the authorization endpoint
Connect on the IDP interface, then get redirected to callback Url : /_oauth/openid
The app processes the request, and gets an authorization code
App requests an access token to the IDP (POST request on token endpoint)
App gets access token and requests for user identity (GET request on user info endpoint)
Then Oauth renders the after redirect view containing the #config div with key and secret, and stores the secret in LocalStorage.
The user is then redirected to root of the app (login page) where an autorun checks if the user is connected and redirects him to landing page if yes.

As I said, it works perfectly on Chrome, but not on IE 11. So far, I identified that the OAuth.getDataAfterRedirect function cannot get the data from Reload (here)

Can you help me fix this issue ? I was about to create an issue in the meteor/meteor github, but I think that the other accounts packages using oauth work on IE 11, so it must be in my config (I use Nginx) or in my code.

Thanks a lot !
Victor

victor · June 12, 2017, 2:07pm

I am replying to myself to add some details on the debugging state. I confirm that Reload.js is not behaving correctly on IE 11 in this case. I have found a rather dirty workaround : rewriting the OAuth.getDataAfterRedirect method to avoid its use ([original code in the meteor oauth package]
(https://github.com/meteor/meteor/blob/devel/packages/oauth/oauth_client.js#L77) ) :

OAuth.getDataAfterRedirect = function () {
  var credentialSecret, credentialToken;
  for (var k in sessionStorage){
    credentialSecret = sessionStorage[k];
    credentialToken = k.replace(OAuth._storageTokenPrefix, "");
  }
  if (!credentialSecret || !credentialToken)
            return null;

  return {
      loginService: "openid",
      credentialToken: credentialToken,
      credentialSecret: credentialSecret
  };
}

I am not a big fan of this workaround (which is very specific to this login Service) and would prefer it to be working out of the box, in a generic and nice way. Also, I am not sure it is very secure.
What do you think ? Can my code be an issue at some point (from a security point of view) ?
Thanks a lot for your inputs !