0

I have an identity server 4 application, with a JavaScript client, and several asp .net core clients.

The JavaScript client was created using Adding a JavaScript client.

I have implemented back channel logout on the asp .net core apps. So that when one logs out then they all log themselves out. The problem i am having is with the JavaScript app. I dont see how back channel logout would work with that. The only thing i have been able to think of is to have the following code just check the server every minute look to see if the user is still logged in. But that sounds like a lot of calls to the identity server.

function login() {
    mgr.signinRedirect();
}

function api() {
    mgr.getUser().then(function (user) {
        var url = "http://localhost:5001/identity";

        var xhr = new XMLHttpRequest();
        xhr.open("GET", url);
        xhr.onload = function () {
            log(xhr.status, JSON.parse(xhr.responseText));
        }
        xhr.setRequestHeader("Authorization", "Bearer " + user.access_token);
        xhr.send();
    });
}

function logout() {
    mgr.signoutRedirect();
}

Is there a way to implement single signout / back channel logout on a JavaScript client side app?

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449

1 Answers1

1

There is no better way to do this. Think about it, the server has to inform client about logout event. It can be done in 3 ways.

  1. Server send logout event
  2. Client polls and get this information periodically.
  3. Magic - Obviously this is not a valid option.

You are already trying option 2. Only way to limit the traffic is you can reduce polling interval. Does it matter client session to be deactivated immediately. You can deactivate session once next server request is done by client.

As for option 1. You can use async eventing like long polling or websockets to send data back to client.

indolentdeveloper
  • 1,253
  • 1
  • 11
  • 15
  • Thank you for verifying my suspension that option 1 was not possible I am not a client side developer so wasn't 100% sure. Unfortunately this is bank related data so the user needs to be logged out as soon as possible i have been told 5 minutes is to long so its going to be a lot of polling. I wondered if signalR was an option. – Linda Lawton - DaImTo Sep 11 '19 at 08:50
  • 1
    yes that could be option. Depending upon which technology you are using currently. Websocket, long polling, server events, singal-r are some of options. – indolentdeveloper Sep 11 '19 at 08:57
  • Heres a follow up if your intersted my polling isnt working right. https://stackoverflow.com/q/57903692/1841839 – Linda Lawton - DaImTo Sep 12 '19 at 10:06