Session management implementation : Failed to execute 'postMessage' on 'DOMWindow'.... #623
Replies: 2 comments 5 replies
-
|
Hi, But it still doesn't work. Now I have a checkSession: posting and then receiveMessage: changed from the op and finally XHR finished loading: GET on the endpoint of the html page of the OP and logout after 3 seconds and so on ... I added traces and the values passed in the java_script method seem consistent. So my question is this. Does it make sense for check sessions to start before the XHR GET request finishes loading or is it something else? thank you |
Beta Was this translation helpful? Give feedback.
-
|
I'm not sure what you're asking: the iframes are supposed to be loaded by the browser after returning from the OP |
Beta Was this translation helpful? Give feedback.
-
|
Hi Hans, Yes. In fact, logic dictates that we load the iframes after receiving the script from the OP. I do not understand that it works otherwise and therefore after hours of research I have only activated the OP iframe and I have an error: a cookie is intended to be set in a cross-site context by specifying its SameSite attribute and so on.. From what I understand from the feed, the OP server needs to save a cookie in the browser that will allow session verification. And it is then the hidden iframe OP which will make the connection with the hidden iframe RP and vice versa to check the session synchronously. So if that's right, it could mean that my blocking is that chrome is preventing the cookie from being written due to the lack of SameSite = None to allow cross-site use. In the documentation 5.1. User Agents Blocking Access to Third-Party Content they talk about this kind of concern. Could it come from this setting and that I ask my OP to change the SameSite parameter of the cookie or am I completely in the wrong direction? Thanks Stef |
Beta Was this translation helpful? Give feedback.
-
|
which version of the module are you using? |
Beta Was this translation helpful? Give feedback.
-
|
the lastest I think. The 2.4.9. I compiled the module on July 16 |
Beta Was this translation helpful? Give feedback.
-
|
ok, it looks then indeed like the OP cookie needs the samesite flag |
Beta Was this translation helpful? Give feedback.
-
|
Okay thank you so much |
Beta Was this translation helpful? Give feedback.
-
Hi,
I implemented the base library and everything looks good so far.
<iframe title = 'empty' style = 'visibility: hidden;' width = '0' height = '0' tabindex = '- 1' id = 'openidc-op' src = 'https://localhost/openid/redirect_url? session = iframe_op' > </iframe> <iframe title = 'empty' style = 'visibility: hidden;' width = '0' height = '0' tabindex = '- 1' id = 'openidc-rp' src = 'https: // localhost/openid/redirect_url? session = iframe_rp' > </iframe>So I want to implement session management as indicated in the doc. My OP on Keycloak supports it. So I followed the doc and added the following lines just before the tag:
And i have a mistake
Failed to execute 'postMessage' on 'DOMWindow': The target origin provided ('https://xxx.xxx.xxxx.xxx.com) does not match the recipient window's origin (' https: // localhost ').
(I put xxx for confidentiality issues of course.)
Then a disconnection is made and I am redirected to the authentication screen of my OP 3 seconds later. This is normal since it detects an error.
My redirect address declared in Apache is: https://localhost/openid/redirect_url
In the discovery file of my OP there is indeed an address for the iframe.
So my question is, did I miss a feature or parameter to add to my Apache server or whatever?
Thanks.
Beta Was this translation helpful? Give feedback.
All reactions