4

I'm using OIDC Client in my angular application for authentication against identity server 4. Everything works fine until i hit sign out.

I've enabled monitor session (enabled by default) so that other browser can detect the sign out and i can log the user out in other tab of the same browser. When I sign out from one tab, the other tab makes a request to the identity server for silent refresh token and that get succeed. I'm expecting the other browser to signout as well. If i hit the F5 in the other tab then yes, it gets redirected to login again. but not automatically.

Himal Patel
  • 387
  • 4
  • 19
  • What is the authorization flow you have configured or used? Have you configured the logout URL ? – Sohan Sep 11 '18 at 05:37
  • I'm using implicit flow. The logout URL is properly set. When I log out from one tab, the other tab is detecting and calling the silent_refresh.html which says login is required. This is fine. But my event which i registered on User Manager isnt firing. I've registered userUnloaded and UserSignedOut events. but those are not firing. – Himal Patel Sep 11 '18 at 09:05
  • I would suggest why don't you use OIDC signoutRedirect() when logout button is hit, then call clearStaleState(). Instead of triggering events. Also check for errors for iframe if any? As suggested paste the code. – Sohan Sep 12 '18 at 06:03

1 Answers1

1

Update

to log out from other clients that share the same identity server frontChannel , you can add an Iframe in your identity to notify your clients about the logout (oidc-client.js supports front-channel signout)

Front-channel server-side clients

To signout the user from the server-side client applications via the front-channel spec, the “logged out” page in IdentityServer must render an to notify the clients that the user has signed out. Clients that wish to be notified must have the FrontChannelLogoutUri configuration value set. IdentityServer tracks which clients the user has signed into, and provides an API called GetLogoutContextAsync on the IIdentityServerInteractionService (details). This API returns a LogoutRequest object with a SignOutIFrameUrl property that your logged out page must render into an .

Back-channel server-side clients

To signout the user from the server-side client applications via the back-channel spec, the SignOutIFrameUrl endpoint in IdentityServer will automatically trigger server-to-server invocation passing a signed sign-out request to the client. This means that even if there are no front-channel clients, the “logged out” page in IdentityServer must still render an to the SignOutIFrameUrl as described above. Clients that wish to be notified must have the BackChannelLogoutUri configuration value set.

Browser-based JavaScript clients

Given how the session management specification is designed, there is nothing special in IdentityServer that you need to do to notify these clients that the user has signed out. The clients, though, must perform monitoring on the check_session_iframe, and this is implemented by the oidc-client JavaScript library.

after that you can listen the event addUserSignedOut of oidc-client in all your clients and trigger signoutRedirect to logout your client

this._userManager.events.addUserSignedOut(() => {
    this._userManager
      .signoutRedirect()
       .then(resp => {
         console.log('Success');
       })
       .catch(err => {
         console.log(err);
       });
 });

check this documentation for more details

Community
  • 1
  • 1
Fateh Mohamed
  • 20,445
  • 5
  • 43
  • 52
  • I think the problem is not related token expiration and then doing silent refresh, there seems to be some stale states or logout is triggered using singOutRedirect. – Sohan Sep 14 '18 at 08:42
  • yes but silent refresh request is one way of checking if the session is still valid or no with the identity server – Fateh Mohamed Sep 14 '18 at 09:07
  • @FatehMohamed, I tried registering this event but the event isn't raised. – Himal Patel Oct 25 '18 at 08:39
  • check my update; i have identity server and oidc-client, single sign out works perfectly for me, use addUserSignedOut event – Fateh Mohamed Oct 25 '18 at 09:01
  • @FatehMohamed, Yes, I got it working too in one of my sample application. But still the signout event isn't firing in my other project. There is no error in the log. Any way to troubleshoot ? – Himal Patel Oct 25 '18 at 13:46
  • Hi @FatehMohamed, I'm facing some issues with `addUserSignedOut` on production, it's calling just after login, but locally works ok, any idea? – leobelizquierdo Apr 11 '19 at 16:37
  • are you using oidc-client.js? and why you are using addUserSignedOut ? – Fateh Mohamed Apr 11 '19 at 17:59