0

We are using angular-oauth2-oidc plugin.

More specifically:

  • angular 13
  • angular-oauth2-oidc 13.0.1

Our OAUth IDP is based on WSO2 Identity Server. Here a sample of the discovery service implemented by WSO2 IS:

{
  "request_parameter_supported": true,
  "claims_parameter_supported": true,
  "introspection_endpoint": "https://host:port/oauth2/introspect",
  "Response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "scopes_supported": [
    "address",
    "phone",
    "openid",
    "profile",
    "email"
  ],
  "check_session_iframe": "https://host:port/oidc/checksession",
  "backchannel_logout_supported": true,
  "issuer": "https://host:port/oauth2/token",
  "authorization_endpoint": "https://host:port/oauth2/authorize",
  "introspection_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "claims_supported": [
    "phone_number",
    "country",
    "birthdate",
    "preferred_username",
    "middle_name",
    "formatted",
    "updated_at",
    "email",
    "upn",
    "sub",
    "nickname",
    "given_name",
    "locality",
    "gender",
    "region",
    "family_name",
    "email_verified",
    "name",
    "profile",
    "locale",
    "phone_number_verified",
    "zoneinfo",
    "picture",
    "postal_code",
    "street_address",
    "website",
    "groups",
    "address",
    "iss",
    "acr"
  ],
  "userinfo_signing_alg_values_supported": [
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "backchannel_logout_session_supported": true,
  "token_endpoint": "https://host:port/oauth2/token",
  "response_types_supported": [
    "id_token token",
    "code",
    "id_token",
    "device",
    "token"
  ],
  "revocation_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "grant_types_supported": [
    "refresh_token",
    "urn:ietf:params:oauth:grant-type:saml2-bearer",
    "password",
    "client_credentials",
    "iwa:ntlm",
    "urn:ietf:params:oauth:grant-type:device_code",
    "authorization_code",
    "urn:ietf:params:oauth:grant-type:uma-ticket",
    "account_switch",
    "urn:ietf:params:oauth:grant-type:jwt-bearer"
  ],
  "end_session_endpoint": "https://host:port/oidc/logout",
  "revocation_endpoint": "https://host:port/oauth2/revoke",
  "userinfo_endpoint": "https://host:port/oauth2/userinfo",
  "code_challenge_methods_supported": [
    "S256",
    "plain"
  ],
  "jwks_uri": "https://host:port/oauth2/jwks",
  "subject_types_supported": [
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "registration_endpoint": "https://host:port/api/identity/oauth2/dcr/v1.1/register",
  "request_object_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "none"
  ]
}

We heve developed a full angular application but we are facing a very basic issue.

When the user clicks on "logout" we start the logout flow (and we call this.oauthService.logOut();)

The plugin redirect the user to the logout page of WSO2 where the user can decide to confirm the logout or not

If the user clicks yes, the logout process is successfully managed and all works pretty good

When the user clicks no, we noticed that the token is deleted from the storage and, so, we must tell user to login again

Is there anything we are missing? It seems a very common scenario and it's impossible that the plugin doesn't manage this situation.

Thank you

Angelo

Angelo Immediata
  • 6,635
  • 4
  • 33
  • 65

1 Answers1

0

You haven't shown any of your code or a way to reproduce it, so it's a bit of a guess what your issue is, but I guess you'll have the exact same issue if the state for your SPA is empty (e.g. a fresh tab if using sessionStorage, the default, for your OAuthStorage). The user will also not be logged in when they are in fact already signed in. If they'd click "sign in" on your application they might go to the IDP and get sent immediately back since they're already logged in.

I have an annotated sample that shows how to use "silent refresh" to handle both of those scenarios: fresh tab, or the user having picked "no" on the IDP when logging out. When your SPA bootstraps, this makes the library use a silent refresh to double check if they're not signed in after all.

The gist of that sample is:

this.oauthService.loadDiscoveryDocument()
  .then(() => this.oauthService.tryLogin())
  .then(() => this.oauthService.hasValidAccessToken()
    ? Promise.resolve();
    : this.oauthService.silentRefresh()
  );

Beware of 3rd party cookie issues with "silent refreshes" that rely on iframes though.

Jeroen
  • 60,696
  • 40
  • 206
  • 339
  • 1
    Hi Jeroen. Sorry I forgot to put some piece of code... but basically what I do is to call the logout method of oatuhService. The behavior you described is the issue I have. I'll give a look to your gist and git repository and I'll let you know. Thank you! – Angelo Immediata Jan 07 '22 at 07:58
  • hi Jeroen. We are still facing the issue I wrote. I opened a question on angular-oauth2-oidc as you can see here https://github.com/manfredsteyer/angular-oauth2-oidc/issues/1174. I described all steps and all what we tried... – Angelo Immediata Jan 12 '22 at 13:41