Validating access_token failed, wrong state/nonce

[sureshreddygovindu]

I've integrated OAuth Implicit flow in Angular 8 App, I've been getting below issue initial time especially in Firefox (incognito).

Validating access_token failed, wrong state/nonce

Initial time, there is no nonce in the local storage, how can it validateNonce (angular-oauth2-oidc.js - 2358 line) execute? This method is being thrown an exception initial time.

if (this.configService.auth) {
            console.log(this.configService.auth.authRedirectUri + "*&&&&&&&&&&&&&&&&&&dd");
            this.authConfig = {
                issuer: 'https://login.microsoftonline.com/XXXXXX/v2.0',
                redirectUri: this.configService.auth.authRedirectUri,
                clientId: this.configService.auth.clientId,
                scope: 'openid profile email',
                strictDiscoveryDocumentValidation: false,
                oidc: true,
                showDebugInformation: true,
                // URL of the SPA to redirect the user after silent refresh
                // silentRefreshRedirectUri: window.location.origin + '/login.html',
            };
            this.oauthService.configure(this.authConfig);
            this.oauthService.setStorage(localStorage);
            this.oauthService.tokenValidationHandler = new JwksValidationHandler();
            this.oauthService.setupAutomaticSilentRefresh();
            // this.oauthService.silentRefreshRedirectUri = window.location.origin + '/login.html';
        }

// trylogin funtion

  tryLogin(state?: any): Observable<boolean | any> {
        console.log("***********Try Login", state);
        return Observable.create(observer => {
            return this.oauthService.loadDiscoveryDocument(this.configService.auth.openIdDocument).then(() => {
                console.log("***********Try Login", state);
                return this.oauthService.tryLogin({}).then(() => {
                    observer.next(state ? state : this.isLoggedIn);
                    observer.complete();
                }).catch(err => {
                    observer.error(err);
                    observer.complete();
                });
            });
        });
    } 

Desktop (please complete the following information):

• OS: Mac, Windows
• Browser Firefox
• Version Latest

[sureshreddygovindu]

more info to understand this issue,
This is happening very first time login with new browser in the Firefox. In this case, there is no nonce right so Nonce validation keep failing.

[jeroenheijmans]

any update

Ermmm, it's been no more than 20 hours since you initially posted 😅 - there's not a large community here so it might take way longer to get an answer for questions. If you need faster feedback you could try Stack Overflow (they tend to have strict(er) rules about what you need to provide in a question for it to be answerable), or a colleague or paid consultant...

As a footnote, after glancing at your code, I can mention I had more success by providing configuration and storage options via the module, you could try if that helps fix your issue?

[jeroenheijmans]

OP, did you ever try my suggestion? If not, could you help us figure out if you suspect a bug in the library, or have a question for help with your own implementation? For the latter I recommend Stack Overflow or a colleague/consultant though...

[manfredsteyer]

Can you please retry this with this libs version 9.1 when it ships later today?

[dirkbolte]

TL;DR Ran into the same error with version 8.0.4 and it worked after upgrading to 9.2.0

My config:

  private readonly config: AuthConfig = {
    issuer: environment.loginServiceUrl,
    redirectUri: window.location.origin + '/index.html',
    clientId: '...',
    requestAccessToken: true,
    requireHttps: false,
    disableAtHashCheck: true,
    oidc: true,
    scope: 'oidc account profile offline_access api',
    showDebugInformation: true,
    disablePKCE: true,
    skipSubjectCheck: true,
  };

and used this.auth.loadDiscoveryDocumentAndTryLogin()

With 8.0.4, I got the same error: Validating access_token failed, wrong state/nonce as there was no nonce in local storage. After upgrading, this works flawlessly.

[MichaelPruefer]

I am using version 9.2.1 with IdentityServer 4 and have the same problem.
The first time you enter the site and log in, the error message mentioned above appears in the log.

Validating access_token failed, wrong state/nonce. null UnZFVkYtVkxqcHZibXphTEc5WEZOWTNhajRzd0Z5UDlXWU5sRENkWHRqQlM0

If I enter the url again I am immediately logged in without any problems.

To reproduce the problem I had to clear the browser cache.

My configuration looks like this:

{
      issuer: environment.baseUrls.identityUrl,
      redirectUri: environment.baseUrls.uiUrl,
      postLogoutRedirectUri: environment.baseUrls.uiUrl,
      clientId: 'spa',
      scope: 'openid profile email services.api.read',
      silentRefreshRedirectUri: environment.baseUrls.uiUrl + '/silent-refresh.html',
      clearHashAfterLogin: false
}

and later using:
oauthService.loadDiscoveryDocumentAndLogin()

Is there any way to skip the nonce check?

[ArnoldEKrumins]

I'm have the same issue when using this.oauthService.loadDiscoveryDocumentAndLogin()

Has this issue been fixed?

[neterium-dev]

Exact same issue here (9.2.2).

"Validating access_token failed, wrong state/nonce."

The document is loaded, the login form is displayed and the redirect works (with the code and token in the URL) -> cannot finalize login process and get my token :(

[benediktberger]

I had the same issue using version 9.2.2 and Chrome or Firefox.
I stumbled upon #472 (comment) and it put me in the right direction. I was doing a loadDiscoveryDocumentAndLogin() in my AppComponent and also an initCodeFlow() in my AppGuard. Removing the call in the AppGuard solved the issue for me.

I am still wondering though why the issue did not appear on Safari.

[MichaelPruefer]

The worst part of this is, the exception thrown causes an uncoverable application state in a way, that i am not able to redirect the user to any other page.
So my users see a never ending loading screen.

So again my question, is there any way to disable the nonce check or atleast let it not throw an error?

[jeroenheijmans]

The ability to disable the nonce check might not be feasible, If I recall correctly it's mandatory by the spec?

Certainly there should be either:

• no error (i.e. there might still be a bug in the library)
• a descriptive error explaining that something was misconfigured in the app, in a way that helps resolve the issue

However, I am thinking about closing this specific issue. The original poster never responded anymore or tried Manfred's suggestion. Others commenting later about having the same symptom might or might not experience the same cause, but we have no up to date reproducible scenario. So it might be better if someone opens a fresh issue with a reproducible scenario using the latest version of the library (or at the least post one in this issue), so we can trace the cause and fix that?

Again, by no means do I want to say that "there's no issue", I'm just looking for the clearest, most efficient path to getting a repro, and ultimately getting things resolved.

[Maple512]

I also encountered the same error. i did not make any changes to this repository.
repro step:

1. run yarn run start
2. click the login button under login with code flow
3. the error will appear on the console, when url to jump back to localhost

please forgive me English is not very good

[schanzen]

EDIT: I managed to get it to work using #728 (comment). This should still be fixed or documented somewhere that it is necessary.

The ability to disable the nonce check might not be feasible, If I recall correctly it's mandatory by the spec?

Certainly there should be either:

* no error (i.e. there might still be a bug in the library)

* a _descriptive_ error explaining that something was misconfigured in the _app_, in a way that helps resolve the issue

However, I am thinking about closing this specific issue. The original poster never responded anymore or tried Manfred's suggestion. Others commenting later about having the same symptom might or might not experience the same cause, but we have no up to date reproducible scenario. So it might be better if someone opens a fresh issue with a reproducible scenario using the latest version of the library (or at the least post one in this issue), so we can trace the cause and fix that?

Again, by no means do I want to say that "there's no issue", I'm just looking for the clearest, most efficient path to getting a repro, and ultimately getting things resolved.

Just created a fresh project using angular CLI and followed the minimal example and getting this error.
The local storage is empty (no state stored). So this is definitely a bug.
Currently I am testing on localhost.

The nonce is not mandatory in OIDC and definitely not in RFC 6749. Not sure about the current security BCP draft right now.
Anyway. Still a bug no matter how the plugin handles and interprets the state parameter. But basically it currently enforces the use of a nonce which is piggybacked in the state leading to the error due to the bug.