v2.4 Client Registration Issues

[jaxoncreed]

Search terms you've used

Impacted package

Which packages do you think might be impacted by the bug ?

• solid-client-authn-browser
• solid-client-authn-node
• solid-client-authn-core
• oidc-client-ext
• Other (please specify): ...

Bug description

Version 2.4 seems to have created a bug in apps that don't have a client document. Upon redirect, in handleRedirect, the library will place "null" in the redirect_uris field. This request fails:

curl 'https://solidcommunity.net/.oidc/reg' -X POST -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:137.0) Gecko/20100101 Firefox/137.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate, br, zstd' -H 'Referer: http://localhost:5173/' -H 'Content-Type: application/json' -H 'Origin: http://localhost:5173' -H 'Connection: keep-alive' -H 'Sec-Fetch-Dest: empty' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: cross-site' -H 'Priority: u=4' --data-raw '{"application_type":"web","redirect_uris":[null],"subject_type":"public","token_endpoint_auth_method":"client_secret_basic","id_token_signed_response_alg":"ES256","grant_types":["authorization_code","refresh_token"]}'

It yields a 400 error with the following body:

{
   "name":"InvalidClientMetadata",
   "message":"invalid_redirect_uri",
   "statusCode":400,
   "errorCode":"H400",
   "details":{},
   "error":"invalid_redirect_uri",
   "error_description":"redirect_uris must only contain strings"
}

I checked with version 2.3.0 and this problem doesn't seem to exist.

To Reproduce

You can run a simple demo app, for example:

import { getDefaultSession, handleIncomingRedirect, login } from "@inrupt/solid-client-authn-browser";
import { useCallback, useEffect, useState } from "react";

export const Component = () => { 
  const [session, setSession] = useState(undefined);

  const loginLocal = useCallback(async () => {
    // Start the Login Process if not already logged in.
    if (!getDefaultSession().info.isLoggedIn) {
      await login({
        oidcIssuer: "https://solidcommunity.net",
        redirectUrl: new URL("/callback", window.location.href).toString(),
        clientName: "My application"
      });
    }
  },
  []);

  useEffect(() => {
    setSession(getDefaultSession());
    handleIncomingRedirect().then(() => {
      setSession(getDefaultSession());
    });
  }, []);
  

  return <div>
    <div>{String(session?.info?.isLoggedIn)}</div>
    <button onClick={() => loginLocal()}>Click</button>
  </div>;
}

Click the button the Log in.

You should be redirected to solidcommunity.net and login there.

Upon redirect, observe that POST https://solidcommunity.net/.oidc/reg fails.

Expected result

Login works

Actual result

Client registration fails

Environment

Please run

npx envinfo --system --npmPackages --binaries --npmGlobalPackages --browsers

in your project folder and paste the output here:

$ npx envinfo --system --npmPackages --binaries --npmGlobalPackages --browsers

System:
    OS: macOS 14.3
    CPU: (12) arm64 Apple M3 Pro
    Memory: 103.36 MB / 36.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 20.17.0 - ~/.nvm/versions/node/v20.17.0/bin/node
    npm: 11.2.0 - ~/.nvm/versions/node/v20.17.0/bin/npm
    pnpm: 10.5.2 - ~/.nvm/versions/node/v20.17.0/bin/pnpm
  Browsers:
    Chrome: 135.0.7049.96
    Safari: 17.3
  npmPackages:
    @eslint/js: ^9.22.0 => 9.24.0 
    @inrupt/solid-client-authn-browser: 2.3.0 => 2.3.0 
    @ldo/solid-react: ^1.0.0-alpha.4 => 1.0.0-alpha.4 
    @types/react: ^19.0.10 => 19.1.2 
    @types/react-dom: ^19.0.4 => 19.1.2 
    @vitejs/plugin-react: ^4.3.4 => 4.4.0 
    eslint: ^9.22.0 => 9.24.0 
    eslint-plugin-react-hooks: ^5.2.0 => 5.2.0 
    eslint-plugin-react-refresh: ^0.4.19 => 0.4.19 
    globals: ^16.0.0 => 16.0.0 
    react: ^19.0.0 => 19.1.0 
    react-dom: ^19.0.0 => 19.1.0 
    vite: ^6.3.1 => 6.3.2 
  npmGlobalPackages:
    artillery: 2.0.15
    corepack: 0.29.3
    jest: 27.5.1
    npm: 11.2.0
    pnpm: 10.5.2
    ts-node: 10.9.2
    typescript: 5.7.3

Additional information

[NSeydoux]

Hi Jackson, thanks for reporting this, and sorry for the delayed response. I'll look into what might have caused this.

[NSeydoux]

I cannot reproduce the issue you're experiencing: with a newly created NextJS app, using the code snippet you provided, I can see the dynamic client registration happening successfully:

That is using the latest version of @inrupt/solid-client-authn-browser, 2.4.1.

Can you provide a repo with an app where you can reproduce the issue?

[BkSouX]

hi @NSeydoux , I am just exploring the Solid Project and I think i have the same issue, or kind of.

Here is a quick sample repo i have just created : https://github.com/BkSouX/sample-solid-auth

Some instructions :

• create a .env file with oidc issuer
• start with "npm start"
• go to http://localhost:5000/login and login into your solid server
• you should be redirect to http://localhost:5000/callback with an error

[NSeydoux]

Hi @BkSouX ,

Thanks for the repository for reproduction. In your case, it is the NodeJS libraries that is impacted, which is understandable as 2.4.0 and 2.5.0 included some changes in this area. It looks like a CSS-specific issue (I can't reproduce it against ESS), I'll dig into what changes were made that could result in this outcome.

[BkSouX]

Ok some info that could help :

• I had the same issue with 2.4.1
• I run CSS like this : npx @solid/community-server -c @css:config/file.json -f data/ -l info without specific config (no json file)

[mrkvon]

I can confirm this is still an issue in v2.5.0, on browser side, and fails also against solidcommunity.net (Pivot/CSS).

If you'd like another take on reproducing the bug, you can run https://github.com/solidcouch/solidcouch/tree/04737571fea0afe481db970290ca2da16c1da255 (uses v2.4.1) and try signing in with your solidcommunity.net account.

First clone the repo, checkout to the particular commit, then:

yarn install --frozen-lockfile
VITE_COMMUNITY="https://solidweb.me/solidcouch/community#us" yarn dev

Open the app at localhost:5173, click Sign in, choose solidcommunity.net, sign in, and you will get stuck on Loading... and in your developer tools see the same failed request as described by OP.

[koca2000]

The issue is that the CSS returns expireAt: 0, so the library tries to create a new registration each time. However, some call sites expect that there is a client registration already, because it was just created. According to OIDC the zero value is valid and denotes that the registration never expires. I created a PR with a fix.

[renyuneyun]

Encountered same issue, as new release is not there yet.
An additional note: specifying "@inrupt/solid-client-authn-browser": ">=2.0.0 <2.4.0" (i.e. using version <= 2.3.x) would not work for me. It yields the following error when trying to start authentication:

TypeError: this.handleRedirect is not a function
    handle AuthorizationCodeWithPkceOidcHandler.ts:74
    handle OidcLoginHandler.ts:122
    login ClientAuthentication.ts:72
    login Session.ts:204
    submit Login.tsx:33
    onSubmit Form.tsx:7
    Preact 47
    <anonymous> index.tsx:6
[AuthorizationCodeWithPkceOidcHandler.ts:84:14](http://localhost:5173/node_modules/@inrupt/solid-client-authn-browser/src/login/oidc/oidcHandlers/AuthorizationCodeWithPkceOidcHandler.ts)

Maybe some dependency changes led to this? Not sure.

[mrkvon]

If this has indeed been fixed, can we get a patch release, please? 🙏🏼

[jaxoncreed]

Bumping this again. Would it be possible to get a patch release?

[NSeydoux]

As we are removing support for NodeJS 18, the next version will be a major release. This requires a bit of coordination, but I'll cut the release soon.

[jaxoncreed]

Hey @NSeydoux, thanks for your work. Do you know when that release will be cut? Sorry for the pestering, but it's important. This is Solid's main authentication library, and I've been pushing back a deadline for a few months now. Downgrading will not work because the project requires the new ESM support you implemented.

[NSeydoux]

I just published https://github.com/inrupt/solid-client-authn-js/releases/tag/v3.0.0, so the v3.0.0 artifacts should be on their way to the NPM registry in just a moment. Thanks again to @koca2000 for the fix, and I apologize for the delay. Next time I'll be more careful to release community changes soon, and especially before any breaking change such as dropping the support for Node 18 is merged in.