Summary
solid-client-authn-browser receives the OAuth authorization code after redirect but does not complete the token exchange. The library stores the codeVerifier in localStorage but never exchanges the code for tokens.
Environment
- solid-client-authn-browser: 2.3.0 (via solid-logic 4.0.1)
- Browser: Chrome 131
- Server: Custom Solid server with oidc-provider
- Context: Mashlib data browser
Steps to Reproduce
- Load mashlib in browser
- Click "Sign In"
- Complete login at IdP
- Redirect back to app with
?code=...&state=... in URL
Expected Behavior
Library should:
- Detect the auth code in URL
- Retrieve
codeVerifier from localStorage (solidClientAuthenticationUser:* keys)
- POST to token endpoint with PKCE exchange
- Store tokens and set
session.info.isLoggedIn = true
Actual Behavior
- Auth code is in URL
codeVerifier exists in localStorage under solidClientAuthenticationUser:* key- Token exchange never happens
session.info.isLoggedIn remains false- No network request to
/idp/token endpoint
localStorage State After Redirect
{
"solidClientAuthenticationUser:default": {
"clientId": "client_xxx",
"codeVerifier": "xxx",
"redirectUrl": "http://example.com/",
"issuer": "http://example.com/"
}
}Workaround
Manual token exchange in solid-logic that:
- Captures auth code at module load (before library processes it)
- Reads session data from
solidClientAuthenticationUser:* localStorage keys
- POSTs to
/idp/token with PKCE parameters
- Patches
window.fetch to add Bearer token
Code Location
The issue appears to be in handleIncomingRedirect() - it's called but doesn't trigger the token exchange even though all required data is present.
Related
This may be related to timing issues where the library cleans up URL parameters before handleIncomingRedirect is called, or session state management issues.
Summary
solid-client-authn-browserreceives the OAuth authorization code after redirect but does not complete the token exchange. The library stores thecodeVerifierin localStorage but never exchanges the code for tokens.Environment
Steps to Reproduce
?code=...&state=...in URLExpected Behavior
Library should:
codeVerifierfrom localStorage (solidClientAuthenticationUser:*keys)session.info.isLoggedIn = trueActual Behavior
codeVerifierexists in localStorage undersolidClientAuthenticationUser:*keysession.info.isLoggedInremainsfalse/idp/tokenendpointlocalStorage State After Redirect
{ "solidClientAuthenticationUser:default": { "clientId": "client_xxx", "codeVerifier": "xxx", "redirectUrl": "http://example.com/", "issuer": "http://example.com/" } }Workaround
Manual token exchange in
solid-logicthat:solidClientAuthenticationUser:*localStorage keys/idp/tokenwith PKCE parameterswindow.fetchto add Bearer tokenCode Location
The issue appears to be in
handleIncomingRedirect()- it's called but doesn't trigger the token exchange even though all required data is present.Related
This may be related to timing issues where the library cleans up URL parameters before
handleIncomingRedirectis called, or session state management issues.