0

I'm having a problem in the Garden demo environment using the Banno Digital Toolkit. I run Chrome on Linux and I'm getting "authorization request has expired" when loading our application through the iframe in the dashboard.

I'm getting the error in Chrome, Edge, and Opera, but not in Firefox. And when I click the CTA button at the bottom of the card to open it full screen, it always works, regardless of browser. So it seems to be just the iframe on just those browsers. And the browsers that don't work I believe use the Blink engine, and the browser that does work I believe uses the Gecko engine.

In all cases, when loading the dashboard, there's a call to https://digital.garden-fi.com/a/consumer/api/v0/oidc/auth?response_type=code&client_id=... which responds with a 302. In the cases where I get the error, the 302's location is something like /login?returnUrl=/a/consumer/api/v0/oidc/auth/xyz and the subsequent call to https://digital.garden-fi.com/a/consumer/api/v0/oidc/auth/xyz returns a 400 with the error above. In the case in Firefox where loading the iframe succeeds, the location of the 302 is my application's URL, with the code and state parameters as expected.

I've got the latest versions available of all browsers. I've also tried in an incognito window with no success. Everything is over HTTPS and I've enabled 3rd party cookies. What could be going on?

Darin R
  • 13
  • 3
  • Does this problem occur on other operating systems? Your question mentions Chrome on Linux and also several browsers, all of which I'm assuming are also on Linux. Hoping to narrow down possibilities. – Jaime Lopez Jr. Nov 05 '22 at 00:29
  • Also, are you able to reproduce the problem in our Simple Plugin Example? We know this sample code very well and it's great if the problem can be reproduced with it (or a modified version of it). https://github.com/Banno/simple-plugin-example – Jaime Lopez Jr. Nov 05 '22 at 00:30
  • We're seeing the same issues in the same browsers in Windows as well as Linux. I'll see if we can deploy the sample code. – Darin R Nov 07 '22 at 14:11
  • I was able to successfully run the sample code. But I'm still not sure why the call to https://digital.garden-fi.com/a/consumer/api/v0/oidc/auth?response_type=code&client_id=.. returns different things in different browsers from our code. Is there any documentation on this endpoint, or any description of the logic it might use to return one response or the other? – Darin R Nov 07 '22 at 16:34
  • The documentation is at https://jackhenry.dev/open-api-docs/consumer-api/api-reference/v0/oauth-and-openid-connect/ and https://jackhenry.dev/open-api-docs/consumer-api/api-reference/v0/oauth-and-openid-connect/details/ – Jaime Lopez Jr. Nov 07 '22 at 17:16
  • It's also helpful if you run through the command line quickstart and see how your code might be doing something different which causes the different behavior: https://jackhenry.dev/open-api-docs/consumer-api/quickstarts/authenticationcommandline/ – Jaime Lopez Jr. Nov 07 '22 at 17:18
  • I'm not seeing documentation explaining why the endpoint responds differently. I've got an application mostly running and working, it's just those very specific cases where it doesn't work. So I don't think I'm ready to throw my code out and start again at the beginning. It's only in Chromium-based browsers and only in the iframe. All other browsers work and all browsers work outside of the iframe. – Darin R Nov 07 '22 at 18:26
  • It also looks like if I `curl` according to step 1, I should see a response in the form `[REDIRECT_URI]?code=[CODE]&state=[STATE]`. What I'm actually seeing is a redirect to `/login?returnUrl=%2Fa%2Fconsumer%2Fapi%2Fv0%2Foidc%2Fauth%2FcKbklSg...`. Is there a way I can mimic my issue with `curl`? – Darin R Nov 07 '22 at 19:33
  • That would be highly dependent on what your code is doing. Given that the Simple Plugin Example did not exhibit or reproduce the behavior you're seeing, the problem is now isolated to what your code is doing for the authorization URL. You'll have to get a reproducible example before we can do more than speculate. – Jaime Lopez Jr. Nov 08 '22 at 16:23
  • Using the quickstart you linked to at: https://jackhenry.dev/open-api-docs/consumer-api/quickstarts/authenticationcommandline/ I can't successfully execute step 1 with a curl. Instead of a redirect back to my app, I get a redirect to a login path on your servers. Can I get some insight into why that's happening? I believe it's _very_ similar to what's happening in our app in the failure scenario. – Darin R Nov 08 '22 at 17:29
  • Can you post the full authorization URL? That might provide a clue as to what is happening. – Jaime Lopez Jr. Nov 08 '22 at 19:27
  • `curl -G -i https://digital.garden-fi.com/a/consumer/api/v0/oidc/auth \ -d "client_id=7be6c674-ec39-4fb8-bb45-056d2277a346" \ -d "redirect_uri=https%3A%2F%2Fdev-widget.onedigitaltrust.com%2Fjack-henry%3FssoId%3Dgarden-fi%26tenant%3Dodt%26brand_id%3Dgarden-fi" \ -d "scope=openid+address+email+phone+profile+https%3A%2F%2Fapi.banno.com%2Fconsumer%2Fauth%2Fuser.profile.readonly" \ -d "response_type=code" \ -d "state=abc123" \ -d "code_challenge=I3a0Jrg171ygSAdttG5MAUqEsaFBbrjlGZwTYeJ-ofY" \ -d "code_challenge_method=S256"` – Darin R Nov 08 '22 at 20:48
  • Another important point is that the sample code is all in one Express server. Our code has a UI on one subdomain and the server is on another subdomain. – Darin R Nov 09 '22 at 16:09
  • I'm not sure which curl switches tells curl to follow redirects and/or open up a browser, that might be helpful. – Jaime Lopez Jr. Nov 10 '22 at 02:17
  • If I use the same structure as what you've got but construct a URL I can use in my browser, I get this: `https://digital.garden-fi.com/a/consumer/api/v0/oidc/auth?client_id=d784425f-43d2-40b3-92b1-3d87633121e6&redirect_uri=https://oidcdebugger.com/debug&scope=openid+address+email+phone+profile+https%3A%2F%2Fapi.banno.com%2Fconsumer%2Fauth%2Fuser.profile.readonly&response_type=code&state=abc123&code_challenge=I3a0Jrg171ygSAdttG5MAUqEsaFBbrjlGZwTYeJ-ofY&code_challenge_method=S256` – Jaime Lopez Jr. Nov 10 '22 at 02:18
  • ...which redirects me to `https://digital.garden-fi.com/login?returnUrl=%2Fa%2Fconsumer%2Fapi%2Fv0%2Foidc%2Fauth%2FM4gevgA83hrl-IRpOFF94` and that's what I expect since I wasn't logged into Banno (the Garden institution, in this case). If I do log in, then I'm redirected in the browser to https://oidcdebugger.com/debug per my Redirect URI (which is a bit different than yours, but should work the same). – Jaime Lopez Jr. Nov 10 '22 at 02:19
  • Based on the documentation, I _should_ be getting a redirect back to my app. Is there somewhere I can see a description of when I can expect a proper redirect vs when I can expect this login redirect? You mention it's about authentication, but how does Banno determine whether you're authenticated? Is it cookies, headers? Do we have any ideas why Chrome-based browsers in an iframe aren't considered authenticated, but everything else is? Chrome might handle 3rd party cookies differently. I'm just trying to figure out how/if I can change my code to account for this. – Darin R Nov 10 '22 at 15:27
  • Normally within Banno's Dashboard UI, the user is already logged in (with cookies maintaining the session) so when the authentication redirect to Banno occurs it should seamlessly redirect back to your plugin since the user is already logged in. If the flow starts outside of Banno then the user may not necessarily be logged in so the redirect may have a step for the user to log in OR may seamlessly redirect back to your server if the user is already logged in. This all works in standard Chrome browsers, but may not work if there are ad/tracking/content blockers which disallow cookies. – Jaime Lopez Jr. Nov 10 '22 at 16:24
  • I have ad blockers in my Chrome, which isn't working. I have those same ad blockers in my Firefox, which _is_ working. I have no ad blockers in my Edge or in my Opera, which aren't working. Do we have any more detailed info on which plugins or browser settings might be causing this? I'm having a hard time seeing any correlation. Is it a safer bet to just _not_ attempt OAuth from the iframe on certain browsers and show only static info instead? – Darin R Nov 10 '22 at 18:54
  • No, OAuth definitely works in the Card Face. Coming back to the https://github.com/Banno/simple-plugin-example example code, does that work? It uses OAuth and OpenID Connect to show the user's name and the number of accounts they have. – Jaime Lopez Jr. Nov 11 '22 at 01:51

0 Answers0