0

I'm evaluating using the angular-oauth2-oidc package in an Angular 9 appliction. I've been playing around with the worked examplefound here.

When I run the workded example and open up two separate browser sessions (Chrome) and try and log in using the two supplied username/passwords I've notice the following:

  1. When I logout in one browser the other browser logouts.
  2. When I login on one browser and try and log into the second browser (using a different user account) it automatically logs me in without having to authenticate
  3. When I logout I notice the sessionStorage is deleted but I'm still automatically logged in when I click login.

Is this expected functionality? Seems very strange behavior. Could anyone recommend how I can configure angular-oauth2-oidc to overcome this issues highlighted?

Think Tank
  • 1
  • 1
  • what do you mean by browser sessions? i'm pretty sure that's nothing to do with the library. most likely your "sessions" are actually shared. try chrome and edge/safari/chrome-incognito to ensure. the other option is the backend (idp) you use. probably your test instance supports the only user session a time (sounds stupid, but that's what goes out of your explanation) – d_f Jun 18 '20 at 21:12

1 Answers1

0

I see the login status and information is saved in session storage in your case. the session storage for the same website is the same even if you open it from multiple tabs.

So when you logout from one tab the login status is changed at the shared session storage. and the login info is removed. so all taps that are opened they will read from session storage that the user is logged out.

So it is normal from a single browser that has only one session storage for each website you can log in with only one user for this website.

if you want to login with different users use different browsers.

if it is important to let users log in with different users at multiple taps you have to:

  • Don't let the angular-oauth2-oidc package to use sessionStorage, localStorage, and instead use custom storage which is a service that lives only inside your code at the running time. but when refresh everything will lose and you will need to log in again.
  • Don't let login page at identity server to store anything at cookies. so you should remove remember me. because there are multiple users logged in and you don't know whose session is ended to refresh his session so he has to enter his credentials again
Gendy
  • 131
  • 4
  • Hi thanks for commenting on my question. This issue I'm having is with using two separate browser sessions not a single browser using two tabs. – Think Tank Jun 06 '20 at 18:38