My client doesn’t know when I have logged out elsewhere

[adrianhand]

Once logged in to my oidc client app (call it my Portal app), during subsequent loads (page refresh/new tabs etc) the client calls getuser() and gets a result from local storage.

So if one of my other clients have triggered a logout, or if I’ve logged out from the oidc implementation itself (identity server), I am remaining logged into the Portal app because it just pulls from local storage and gets a result, doesn’t care what happened elsewhere.

What am I missing about the intended flow here to make sure that logging out of one of my apps doesn’t leave me logged in to all the others?

[rwb196884]

Yes, that is a feature of bearer tokens.

[adrianhand]

Thank you for your reply! What would be the change I could make then to my use of the library that would force a client to check back with my identity provider to see if I have been logged out there (by some other client), instead of using the session/localstorage persisted token?

Right now my context is a single page application, which at moment of load calls getuser() to get the previously used token - what can I do to instead force a user back to the identity provider every time, collect a bearer token if the user is already logged in, or ask them to login if not?

[pamapa]

Are you using mgr.removeUser() or mgr.signoutRedirect. The later logs you out on the IDP itself. To monitor the session have a look at the setting monitorSession.