Log out user when idle using IdentityServer4 + oidc-client-js in Angular

Question

On my application I have a timeout feature so when the user is idle for X minutes I want to sign out from Identity Server.

My first attempt was to manually create the call without having the user to navigate to the Logout controller.

This code looks like this (Angular + TS):


      this.userManager
        .createSignoutRequest({ id_token_hint: this.user && this.user.id_token })
        .then(signout_request => {

          this.http
            .get(signout_request.url, {
              responseType: 'text',
              headers: new HttpHeaders().set(InterceptorSkipHeader, '') // Ignores token http-interceptor
            })
            .subscribe(_ => {
              this.userManager.removeUser().then(_ => {
                window.location.href = '/timeout'; // Navigate to page that informs user has been timed out
              });
            });
        });

I can see it goes to the endsession endpoint with an id_token_hint and the proper redirect_url, however when I try to log back into the application, it gives me a token without asking me for the credentials again which defeats its purpose.

The regular signout function from the oidc-client-js library works fine.


    this.userManager
      .signoutRedirect()
      .then(res => {
        if (!environment.production) {
          // console.log('Redirection to signout triggered.', res);
        }
      })

The only caveat is that I would like to present the user additional information stating that they have been timed out due to inactivity and I'm not sure how.

This function accepts a post_logout_redirect_uri and a state as a parameter but I haven't been successfully able to grab those on my IdentityServer (I'm still novice with .Net).

Is this the wrong approach? Shall I navigate the user back to my Angular app using something like a /timeout route to show this message?

Thanks for your input

score 1 · Accepted Answer · answered Aug 22 '19 at 12:56

1

Calling the end session endpoint in this way is not supported AFAIK - it must be a top level navigation since it may involve presenting a UI. No cookies will be sent when doing a CORS request like this.

A better option may be to use the max_age authorize endpoint parameter in the sign in request and checking auth_time in the resulting id_token to ensure it's not older than you want. That way you'll only get a new token if they authenticated within the time period you provide but you don't have to worry about explicitly signing the user out.

post_logout_redirect_uri is indeed the correct thing to use to take the user back to somewhere within your app after signing out. These URIs must be pre-registered against the client.

answered Aug 22 '19 at 12:56

mackie

4,996
1
17
17

Thanks for the input. I have a question there if you can clarify: In this case, if I'm also using silent renew, would I get a new time on each renewal? Or would this only work for, let's say, make the user only be able to use the token for 1 day or 8 hours or the likes – Narshe Aug 22 '19 at 13:13
1

If using a silent renewal (`prompt=none`) in combination with `max_age=n` then if the age is exceeded you'd get an `error=login_required` in response and have to prompt for interactive authentication which in turn would update `auth_time` to `now()` – mackie Aug 22 '19 at 14:18
Thanks, I'll try that out. Although this does not answer my original question I believe this is what really solves the problem. Thanks again for your time. – Narshe Aug 22 '19 at 15:36
@Narshe did you found the solution for this, can you please show an example with code?? – San Jaisy Aug 15 '21 at 01:59
@mackie can you please provide an sample code. I am facing the same issue – San Jaisy Aug 15 '21 at 02:06
I went for a more simple approach, as I control the Identity Server therefore I can make changes to it without repercusions. I pass an extra query param to the logout request. In identity server I check if that param comes in the request and modifies the logout screen to include the timeout message with this. JS code looks like this: `this.userManager.createSignoutRequest({ id_token_hint: this.user.id_token, extraQueryParams: { reason: 'timeout' } })` – Narshe Aug 16 '21 at 11:05

Log out user when idle using IdentityServer4 + oidc-client-js in Angular

1 Answers1

Linked