search

IdentityModel / oidc-client-js

OpenID Connect (OIDC) and OAuth2 protocol support for browser-based JavaScript applications
Apache License 2.0
2.43k stars 842 forks source link

Monitor session and UserStore #1353

Open ascazzola opened 3 years ago

ascazzola commented 3 years ago

Hello,

I have an identity server with some clients (Angular). I'm using

I'm doing this steps:

  1. Go to client1 and logged in with user1
  2. In the same browser tab go to client2 and user1 is logged in (it is correct)
  3. go to the logout and login with other user (user2) after it I automatically redirected to the client2
  4. In the same browser tab I returned to the client1

The issue with it is: the client1 get from localstorage the user1 and when the monitor session validate it with the querySessionStatus a logout is executed because the user.sub and sessionstatus.sub are different.

I'm trying to understand if localstorage and monitorsession can be used together and how can I avoid this issue. For now I'm using InMemoryStore to avoid it but I want to understand if is the correct behavior

Thanks in advance

brockallen commented 3 years ago

Well, I'm not sure there's a right answer for what's correct behavior. This is a library and you can use it in many ways to satisfy your requirements.

ascazzola commented 3 years ago

@brockallen thanks are compatible the monitorSession=true and the WebStorageStateStore = localstorage at the same time?

brockallen commented 3 years ago

Sure.

ascazzola commented 3 years ago

@brockallen I'm not understanding how can I avoid the issue that I explained with that configuration, when the monitorSession get from the UserManager.getUser() a user that was logged off in other client

brockallen commented 3 years ago

Well, this is why the default is to use sessionStorage for the user storage. They will remain isolated that way, and then your monitor session will detect that the user has changed.

ascazzola commented 3 years ago

@brockallen the issue happen with session storage too, because is persisted until the browser / tab is closed

ascazzola commented 3 years ago

@brockallen maybe my comment was not clear, the problem that I have is because the monitor session detects that the user has changed and trigger the log out, but the logout was already done in other client and I'm logged in with other user

brockallen commented 3 years ago

Never trigger logout automatically. Only when the user clicks logout.

ascazzola commented 3 years ago

@brockallen I follow the code and the _start method on the SessionMonitor calls

this._checkSessionIFrame = new this._CheckSessionIFrameCtor(this._callback.bind(this), client_id, url, interval, stopOnError);

and the _callback method get the user from the user manager and querySessionStatus and if the sub are different trigger the logout event, but in my case other user is logged in and the logout was done in other client, I will attach the logs

In brief when the next log is executed I don't understand how I should avoid the logout action and update the logged in user

Log.debug("SessionMonitor._callback: Different subject signed into OP:", session.sub);