1

Hello guys I need some guidelines if im going to right direction. I have Identity server client with this settings: 

new Client
            {
                ClientId = "XamarinAndAngularClient",
                ClientName = "Xamarin and Angular client(Code with PKCE)",
                RedirectUris = new List<string>
                {
                "http://localhost:4200", 
                "http://localhost:4200/auth-callback" 
                },
                PostLogoutRedirectUris =
                {

                    "http://localhost:4200",
                    "https://localhost:4200",
                },
                RequireClientSecret = false,
                AllowedGrantTypes = GrantTypes.Code,
                RequirePkce = true,
                AllowedScopes =
                {
                    IdentityServerConstants.StandardScopes.OpenId,
                    IdentityServerConstants.StandardScopes.Profile,
                    IdentityServerConstants.StandardScopes.Address,
                    "myprotectedeapi"
                },

                AllowOfflineAccess = true,
                RefreshTokenUsage = TokenUsage.ReUse
            }

This client is used by Angular SPA with oidc-client-js which is working great. I have added Xamarin application to use the same client with the following settings : 

var options = new OidcClientOptions
        {
            Authority = "https://myidentityserver.com/",
            ClientId = "XamarinAndAngularClient",
            Scope = "openid profile address myprotectedeapi",
            //RedirectUri = "xamarinformsclients://callback",
            RedirectUri = "http://localhost:4200/auth-callback",
            Browser = browser,
            FilterClaims =  false,
            Flow = OidcClientOptions.AuthenticationFlow.AuthorizationCode,
            ResponseMode = OidcClientOptions.AuthorizeResponseMode.Redirect, 
        };

The idea of Xamarin form settings is to redirect the user to Indentity server login screen and when he has provided the needed credentials to redirect to Angular SPA. Currently when this redirection to Angular is happens every time oidc-client-js is returning an error : No matching state found in storage. My question is : is my current idea/approach correct and if no what i can do in order to "inform" the oidc-client-js that the code(that is contains state and session state generated by Identity server) from the Xamarin callback is ok and can be used?

NDym
  • 79
  • 12

1 Answers1

1

The problem here, as the library is telling you, is that the application who makes the first request to the authorize endpoint has indeed to be the same that gets the auth callback and also the same that makes the subsequent request to the token endpoint.

The code + PKCE flow does not need to use a client secret because it guarantees that the same client who does the first request to authorize, does the second one to token (this is what PKCE does). The only secret here is not a secret, its your redirect_uri so only the application sitting on that uri can complete the flow. This way we've authenticated the client (your angular SPA) without the need of a secret.

Having said that, what you cand do instead on your Xamarin.Forms is to call an endpoint on your SPA that initiates the whole flow from there instead, that would be also more convinient in terms of maintenance as you'll only have to keep the oidc configuration in one side of your application (angular spa).

I've explained a little more of detail about this flow on this previous answer

Pablo Recalde
  • 3,334
  • 1
  • 22
  • 47