josephdecock
commented
1 month ago The backchannel notifications from IdentityServer will clean up the BFF's session as you're describing, but I would still usually enable both cleanup jobs because back-channel notifications can fail. Notifications are just http requests, and in general the end session protocol is a best-effort protocol without a strong guarantee that the notifications are received. For example, if your BFF had a short outage, IdentityServer might try and fail to send it a backchannel logout notification. In practice, failures are probably/hopefully rare, so the cleanup job should have little to do at the BFF. You could consider increasing the BFF's SessionCleanupInterval but I would still run it occasionally.
carnahanliam
Question
I'm trying to better understand session cleanup when using server-side sessions in IdentityServer and a BFF application, specifically when back-channel logout is enabled and ExpiredSessionsTriggerBackchannelLogout and CoordinateClientLifetimesWithUserSession are set to true.
If you configure IdentityServer to remove its expired sessions, and doing so will trigger back-channel logout, is it necessary to also enable cleanup for expired BFF server side sessions? When the BFF receives a back-channel logout notification, won't it delete the associated session in its store? In which case the BFF may have an expired session in its store for a little while, but it will eventually get deleted through back-channel logout when the IdentityServer session ends?
Cleanup of expired sessions in IdentityServer seems like it needs to be handled promptly since it may also be needed to trigger back-channel logout, but in the BFF session store is it more necessary just to keep things "tidy"?
If my assumptions are correct, I guess what I'm asking is if there is a reason why expired BFF sessions need to be cleaned up promptly or if it's reasonable to wait until the IdentityServer session expires and triggers back-channel logout (say we have inactivity timeout after 10 minutes, and wouldn't expect an IdentityServer session to last more than a day)?