Issues with simultaneous oidc logins (namespaced oidcStores)

[JohnSimonsen]

Scenario:
We are relying on two different oidc authentications, from two different providers which are relayed back to us from our own ids4 backend. Which means our identity server is the authority for both our oidc settings. Both oidc users needs to be logged in at the same time during our registration process for new users.

The registration process:

1. User logs in with BankId (Authentication)
2. User logs in with Vipps (Create a login account)

Issue:
From the point we introduce the second oidc-login, our Vue application will reload and run main.ts over again. Our first oidcStore will log:

	OIDC error: {
		context: 'oidcSignInCallBack', 
		error: 'login_required'
		},

seemingly from an attempt to either prompt the user to log in again, or automatically renew the token(?). In the console, we can see several identical attempts, resulting in the same error message mentioned above, before the end result: 'OIDC user is signed out' which is a log line originating from the event listeners.

Reloading our application on a route which should not require oidc auth to load, still starts logging the same 'login_required' error message. In order to rid ourselves of the issue, we will have to clear the session storage and perform a hard reload of the page. Then the route will load with the expected behaviour (no errors, and without running main.ts multiple times.).

Questions:
Can the vuex-oidc library handle two simultaneous oidc-logins?
Are namespaced oidc-stores somewhat uncharted territory?

In advance, thanks for any helpful input.
Please let me know, if you'd like me to provide more information.

[perarnborg]

Hello, sorry for not replying sooner!

Do I understand correctly that you create two separate oidc vuex modules with different namespaces?

It is unchartered territory for me, but I did have the intent to make this possible even though I have not tried it out myself.

Have you seen if you get this error if you only have one oidc module? It is just a hunch, but if you still get the error I suspect that it is the Session Managment implementation in oidc-client that causes this. Cookie policies in modern browsers have become more strict for cross domain iframes, so in short monitor session only works properly when your provider/issuer is on the same top domain as the requesting party (your app). So an idea could be to set monitorSession: false in your oidc config for this provider.

[JohnSimonsen]

Hi, thanks for the reply!

Yes, that is correct, we were using two seperate oidc vuex modules, with different namespaces.
However this is no longer an urgent issue for us, at the moment. As we got the flow we were seeking to a "working as intended" / "working good enough" state, with the exception of the error messages logged in the console.

As I can recall we did not see this behaviour when only using one oidc module. And in fact we are using one oidc module without any issues on a seperate SPA-project. But I will re-try this and test the monitorSession: false, when I revisit this issue.

If you are curious, I can share our implementation of the store module / settings:

from oidc.ts

 function getSettingsBankId(): any { 
    const config = store.getters.getConfig;
    const bankidConfig = config.bankIdSettings;
    return {
        authority: bankidConfig.authority,
        client_id: bankidConfig.client_id,
        redirect_uri: bankidConfig.redirect_uri, 
        response_type: bankidConfig.response_type,
        acr_values: bankidConfig.acr_values,
        scope: bankidConfig.scope 
    };
}
    
function getSettingsVipps(): any {
    const config = store.getters.getConfig;
    const vippsConfig = config.vippsSettings;
    return {
        authority: vippsConfig.authority,
        client_id: vippsConfig.client_id,
        redirect_uri: vippsConfig.redirect_uri,
        response_type: vippsConfig.response_type,
        acr_values: vippsConfig.acr_values,
        scope: vippsConfig.scope,
        userStore: new WebStorageStateStore({prefix: "oidc.vipps", store: sessionStorage})
    };
}

export function getOidcStoreBankId(): Module<VuexOidcState, any> {
    return vuexOidcCreateStoreModule(getSettingsBankId(), { namespaced: true, publicRoutePaths: noBankIdRequired });
}

export function getOidcStoreVipps(): Module<VuexOidcState, any> {
    return vuexOidcCreateStoreModule(getSettingsVipps(), { namespaced: true, publicRoutePaths: noVippsRequired });
}

The store module then in turn is registered in an action:
from actions.ts

    async [ActionTypes.registerVippsBankIdModules]() {
      try {
        store.registerModule("oidcStoreBankId", getOidcStoreBankId());
        store.registerModule("oidcStoreVipps", getOidcStoreVipps());
      } catch (e) {
        console.warn("Could not register modules. Error: " + JSON.stringify(e))
      }
    },

The action is triggered from load.ts / main.ts

Again this is not high priority for us at the moment, but at some point we might revisit the issue, will let you know if we manage to solve this nuisance.