search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Question - Check session #140

Closed GilVieira closed 5 years ago

GilVieira commented 5 years ago

Does the client have any functionality to identify if the user has disconnected from the OIDC server? Or how to use the check_session_iframe?

Tks

panva commented 5 years ago

the client does not bundle any functionality like that, it exposes the session_state you need in the TokenSet instance but that's about it, the rest is client side javascript.

panva commented 5 years ago

this would be a very simple rp frame you embed that's handling the session checks. You must also embed the OP frame in the same parent.

https://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification


<!DOCTYPE html>
<html>

<head>
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <title>Client Example RP logout frame</title>
</head>

<body>
  <script>
    (function () {
      var stat = 'unchanged';
      var mes = '113d5760-627b-4f7a-9230-bcc47b04d3e5 a3eb854cf648f5468f3e072be16a2d9f4f1e1d5a52bc710f16983619b6f14d5b';

      function check_session() {
        var targetOrigin = 'https://guarded-cliffs-8635.herokuapp.com';
        var win = window.parent.frames.opframe.contentWindow;
        win.postMessage(mes, targetOrigin);
      }

      function setTimer() {
        timerID = setInterval(check_session, 5 * 1000);
      }
      window.addEventListener('message', receiveMessage, false);

      function receiveMessage(e) {
        var targetOrigin = 'https://guarded-cliffs-8635.herokuapp.com';
        if (e.origin !== targetOrigin) {
          return;
        }
        stat = e.data;
        if (stat !== 'unchanged') {
          clearInterval(timerID);
          handle();
        }
      }
      setTimer();
    })();
  </script>
</body>

</html>

You can see this in action on https://tranquil-reef-95185.herokuapp.com login in two tabs, logout from one, etc. there instead of handle() it just alerts for the sake of demoing.

GilVieira commented 5 years ago

Thanks for the help!!!

you suggest some lib to use in browse (react web app), I am with the following scenario:

Thank you.

panva commented 5 years ago

this is not an RS library, so use on RS side to verify access tokens isn't really what this lib is built in mind with.

Are you within a single domain? Do you need to expose an OIDC interface at all? If the answer is no, then oauth2/oidc is not really for you and you should just stick to cookie authentication.

GilVieira commented 5 years ago

I'm developing a portal, the idea is to make it flexible, and soon I'll need to provide a way for third-party applications to authenticate using our base user to consume our APIs.

I did not create middleware on my resource server as per the code below:

export default async (req, res, next) => {
    try {
        const oidcIssuer = await Issuer.discover('https://oauth.domain.com');
        const client = new oidcIssuer.Client({
            client_id: 'id',
            client_secret: 'secret'
        });
        const token = getToken(req); // get jwt token from header
        req.userinfo = await client.userinfo(token);

    } catch (error) {
        next(error);
    }
    next();
};

Do you suggest some lib to validate the token on the resource server? and another to the browser?

tks

panva commented 5 years ago

I don't suggest anything. But if you wanna go ahead and validate a presented access token on a RS you might as well do introspection call instead and possibly switch to issue JWT access tokens so that the introspection can be done without calling an endpoint (for that you wouldn't use this library).

panva commented 5 years ago

And an out of the box solution like Auth0 will help you get to market faster (couldn’t resist :troll:)

GilVieira commented 5 years ago

Ok... Tks