checkAuth returning null when href target="_blank"

[arshrp]

Describe the bug
The OidcSecurityService.checkAuth() returns null when a tab is opened by clicking an href with target="_blank". Since storage=localstorage, it should return true, not null.

To Reproduce
Steps to reproduce the behavior:

1. Edit the https://github.com/damienbod/angular-auth-oidc-client/blob/main/projects/sample-code-flow-auto-login/ sample
2. In auth-config.module set storage: localstorage
3. Add a link somewhere <a href="/" target="_blank">My Link</a>
4. Start the app, login, then click the link.
5. Notice the new tab opens and a loop ensues between authentication and autologin.

Expected behavior
Since storage is localstorage, the new tab should know we are authenticated and checkAuth() should return true.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: Windows 10
• Browser Chrome
• Version 87.0.4280.88 (Official Build) (64-bit)

Additional context
If the tab is opened by right click, "open link in new tab", it works (instead of regular left click).

I think the problem is the library thinks the new tab is a popup. From CheckAuthService:

    if (this.popupService.isCurrentlyInPopup()) {
        this.popupService.sendMessageToMainWindow(currentUrl);
        return of(null);
    }

But it probably shouldn't be doing this when storage=localstorage?

[FabianGosebrink]

Hey thanks, will talk to @damienbod and look into this.

[arshrp]

Verified this bug occurs even with default storage setting (session).

Steps to reproduce are simple, just add <a href="\" target="_blank">Link</a> to angular-auth-oidc-client-main\projects\sample-code-flow-auto-login\src\app\home\home.component.html, start project, login and click link. Tab will open and get caught in repeated redirection to autologin (due to CheckAuthService code mentioned above).

[FabianGosebrink]

Hey, I could not reproduce the issue the way you described. What I did was that I opened a "normal" popup via window.open(...) and with this I could reproduce the issue. Fixed this now in the PR mentioned above and added a button & link to open new popups. I am 99% sure this fixes your issue as I could not reproduce it the way you said.

[arshrp]

Appreciate the quick fix. I'm surprised you could not reproduce, as all you have to do is add <a href="\" target="_blank">Link</a> to angular-auth-oidc-client-main\projects\sample-code-flow-auto-login\src\app\home\home.component.html, run npm run start-sample-code-flow-auto-login and click the link.

[FabianGosebrink]

Yeah but maybe we have different browser settings concerning to popups ;) Also I am wondering what a backslash as link should do as you mention a normal slash in the first post. But I got the idea I think. I think I could reproduce it and hopefully fixed it :-) You can test btw and let us know!

[arshrp]

Verified the PR fixes the issue. Thanks for such a fast turnaround.

[abdulfousan]

Above issue still happening for the sample-code-flow-auto-login project, list of changes i've made in sample below

home.component.html

<div>Welcome to home Route</div>

<br />
Is Authenticated: {{ isAuthenticated$ | async }}
<pre>{{ userData$ | async | json }}</pre>

<button (click)="openWindow()">Open normal popup</button>

home.component.ts

export class HomeComponent implements OnInit {
    userData$: Observable<any>;
    isAuthenticated$: Observable<boolean>;

    constructor(public oidcSecurityService: OidcSecurityService) {}

    ngOnInit() {
        this.isAuthenticated$ = this.oidcSecurityService.isAuthenticated$;
        this.userData$ = this.oidcSecurityService.userData$;
    }

    openWindow() {
        window.open('http://localhost:4200', '_blank');
    }
}

here localhost:4200 is another application having same clientId

[FabianGosebrink]

Hey @abdulfousan ,

if you open up a new window this is a completely new instance. You are not authenticated in there. You can add a AutoLoginGuard to be redirected to the sts automatically if you want.