FHIR.oauth2.authorize not redirecting to my authorization server if the app is hosted on the production server

[leo9223]

I am using angular v12 and the following is my submit function which is executing on button click:

  onSubmit(form: FormGroup) {
   ...
    FHIR.oauth2.authorize({
      clientId: client_id,
      scope: this.sofClientScopes,
      iss: server.url,
      redirectUri: window.location.origin,
      pkceMode: "required"
    });

  }

the problem is that it is working perfectly fine in a development environment and redirecting to my authorization server when the client application is running on "http://localhost" but when I am hosting my angular app to production on an IIS web server with a public domain, the code is not coming back from "FHIR.oauth2.authorize(...." (I have debugged the code remotely) function and not redirecting to my authorization server. On top of that, I am not getting any error on the console and also not getting any error while debugging remotely.

[jmandel]

Just to be clear, it sounds like the authorization is not even initiated If the redirect to the authorized endpoint is not happening?

my authorization server

Are you building the server at the client in this case? I want to make sure I understand the scenario.

Are all of the origins involved in the failing scenario (App origin and authorization serversion) https:// ?

[leo9223]

I am using version 2.5.3 fhirclient js

Yes authorization is not initiating, the client app is not redirecting to auth server login page in production mode (but working when hosted on localhost (in production) or running in dev mode that is also on localhost).

Let me explain, there are three applications all are in-house developed 1) Angular smart-on-fhir client, 2) Auth Server .net based (using identity server) 3) FHIR server using fhir-net-api

All these applications are on the same webserver even in the same folder

I am hosting like:

--angular client
----auth server
----fhir server

My urls are like:
mydomain (angular client)
mydomain/FhirAuthServer (authserver)
mydomain/FhirServer (fhirserver)

note: mydomain is not on https yet but it is public.
(You can replace with localhost)

I have not understood your last question correctly kindly let me know if my explanation is not clearing that.

[jmandel]

You will not be able to run this library without a secure context. https://developer.mozilla.org/en-US/docs/Web/Security/Secure_Contexts has details about what this means, but basically you can think of this as meaning localhost or an HTTPS protocol URL.

Obviously we should have a better error message! @vlad-ignatov not sure if you have run into this before?

You can try disabling support for pkce if you really want to test this on a non-secure context, but the
far better approach would be to make sure you are hosting your domain in a secure context.

[leo9223]

Yes we are going to have https, just to test the things we were initiating the deployment. Alright I'll first test by turning off the pkce and eventually we will configure the https. I'll let you know. Thanks

[vlad-ignatov]

Detection and error messages are included in fhirclient@2.5.4. Feel free to reopen if it doesn't work. Thank you!