Open ms-emp opened 8 months ago
Badisi
commented
8 months ago Removing user from storage will not log him out from the identity provider (it will be only on the app level). So if he still has an active session at the identity provider, the next login redirect will be instant and the user will be logged in again without re-entering any credentials.
ms-emp
commented
8 months ago That's exactly what I want, we can force re-authentication even when the session is still active.
See here: Force Reauthentication in OIDC
Badisi
commented
8 months ago Out of curiosity: why would you want to do that ?
Like I answered in #30:
If your concern is just making sure that the user would not be relogged in automatically then you can simply set retrieveUserSession to false.
This will do exactly what you want: user opens the app, logs in, closes the app, reopens the app and is now logged out (forcing him to click on login again), but he was not logged out from the IDP so popup comes and goes, and user is logged in again.
You can also couple that with loginRequired: true so that when user opens the app, he is always redirected automatically to the IDP (no need for him to click on a login button somewhere).
ms-emp
commented
8 months ago What I want is that - on mobile - every time the app opens we should start from a clean state (no previous auth session), now I'm not able to force signout from the identity provider. Still, at least I could clear the local user session, and force the user to re-authenticate (even if he didn't log out from the IDP) as I mentioned above.
retrieveUserSession only works for desktop not on mobile, as you answered here on mobile the user session is retrieved from storage.
But another main point is that by using the ngx-auth library, we should still have full control over the OidcUserManager (which extends UserManager from the oidc-client-ts) if the developer needs it for any reason, so really AuthService should make available to access (public) the underlying OidcAuthManager and OidcUserManager.
Badisi
commented
8 months ago loginRequired: true: will force the user to authenticate before bootstrapping the angular application
retrieveUserSession: true: will try to log back-in the user at startup
and will simply load the user from the storage on mobile
=> if it is false it will sets the user to null and dispatch isAuthenticated: false
So yes, retrieveUserSession: false should do the trick in your case because unlike what you think it also works on mobile.
Badisi
commented
8 months ago Regarding the full control over OidcUserManager, I get your point and I'm opened to discuss it, but only on a per case basis and only if it makes sense.
This library was made with 3 things in mind:
Provide one single library to do both desktop and mobile authentication
Make sure all the security standards and bests practices are respected so that the developer don't have to think about it
Make sure that a good level of security is kept
ms-emp
commented
8 months ago retrieveUserSession: !Capacitor.isNativePlatform() did the trick.
Badisi
commented
8 months ago Glad to see you got it working ;-)
You can also import and use isNativeMobile directly from the lib (which will make sure your app is either a Capacitor app or Cordova app)
Description
I would like to force the user to re-login on app start even though the previous session has not expired yet.
Right now the only way to log out the user is by calling
logoutfromAuthServicewhich is doing a redirect in a browser window, but that's not what I want to do when the user opens the app, instead, I would like to clear the session from storage so the user must re-enter his credentials.This will also resolve point 2 here
Proposed solution
Make
removeUserfromOIDCAuthManagerpublic as well for ngx-auth.Alternatives considered
No response