oidc-client icon indicating copy to clipboard operation
oidc-client copied to clipboard

Published 20 hours ago verified publisher icon AxaFrance

Sessions kept when using multiple browser tabs

Open ludojmj opened this issue 1 year ago • 10 comments

Issue and Steps to Reproduce

When I connect to my SPA in a tab, I can reuse the same session in another tab. When I disconnect from the authority server in a tab, the session is still alive on the other tab. And if I connect to a different user on the authority server, I still see the other user's data in the other tab (and it's even more creepy within a frame).

Versions

v6.16.10

Screenshots

Expected

The session should be killed in all tabs when disconnecting (and above all, when changing user) in another tab.

Actual

(react version) The session is kept in every tab (or frame when my SPA is hosted by a master website) so that I can see Bob's personal data even if I disconnect Bob in another tab and then connect as Alice.

Additional Details

  • Installed packages: "@axa-fr/react-oidc": "^6.16.10",
const configuration = {
  client_id: xxx,
  redirect_uri: `${origin}/authentication/callback`,
  silent_redirect_uri: `${origin}/authentication/silent-callback`,
  scope: 'api-client openid email phone profile offline_access',
  authority: yyy,
  service_worker_relative_url: '/OidcServiceWorker.js',
  service_worker_only: false,
  monitor_session: true,
  token_renew_mode: 'access_token_invalid',
};

ludojmj avatar Mar 30 '23 17:03 ludojmj

No issue in private browsing! So the truth is out there :-/ Should I ask thousands of users to clean their cookies or should I tweak something in my conf?

ludojmj avatar Mar 31 '23 08:03 ludojmj

Hi @ludojmj , thank you for the feedback. This is strange, i will look at it this week.

guillaume-chervet avatar Apr 02 '23 13:04 guillaume-chervet

Which browser are your using?

guillaume-chervet avatar Apr 02 '23 13:04 guillaume-chervet

Firefox

ludojmj avatar Apr 03 '23 08:04 ludojmj

To sort it out, I chose the following options:

  • rename OidcServiceWorker.js into OidcServiceWorker<xxx>.js;
  • remove some (unnecessary?) features from the conf;
  • remove offline_access from the scope.

When upgrading from v6.12.1 to v6.16.12, this prevents:

  1. "Error Authenticating" when connecting to another account (oidcServiceWorker.js is stuck with the previous conf);
  2. keeping being connected in the other tab (the former user is not immediately disconnected though).

New conf:

const configuration = {
  client_id: xxx,
  redirect_uri: `${origin}/authentication/callback`,
  silent_redirect_uri: `${origin}/authentication/silent-callback`,
  scope: 'api-client openid email phone profile', // ==> offline_access removed from the scope
  authority: yyy,
  service_worker_relative_url: '/OidcServiceWorker<xxx>.js',
  // service_worker_only: xxx, //  ==> Formerly true
  // monitor_session: xxx, //  ==> Formerly true
  // token_renew_mode: 'access_token_invalid', //  ==> Formerly set
};

Maybe it would have been better to tweak the following features (?) but none worked for me:

  • token_renew_mode
  • refresh_time_before_tokens_expiration_in_second
  • monitor_session
  • offline_access in the scope

ludojmj avatar Apr 04 '23 17:04 ludojmj

Hi @ludojmj , which oidc server do you use? Thank you for this feedback.

guillaume-chervet avatar May 16 '23 07:05 guillaume-chervet

Hello @guillaume-chervet

I'm using https://demo.duendesoftware.com as identity server for testing and XConnect for Production.

  1. Eventually, I landed with the following configuration (duendesoftware.com with react-oidc v6.19.0):
export const configuration = {
  client_id: "interactive.public.short",
  redirect_uri: window.location.origin + "/authentication/callback",
  silent_redirect_uri: window.location.origin + "/authentication/silent-callback",
  scope: "openid profile email api offline_access",
  authority: "https://demo.duendesoftware.com",
  // COMMENTED OUT refresh_time_before_tokens_expiration_in_second: 10,
  service_worker_relative_url: '/OidcServiceWorker.js',
  service_worker_only: false,
  // COMMENTED OUT silent_login_timeout: 1000,
  // COMMENTED OUT monitor_session: true,
};

==> With demo.duendesoftware.com:

  • Same SPA in tab1 and tab2: disconnecting from tab2 is OK ---> initial tab1 is disconnected.
  • SPA in tab1 and duendesoftware.com in tab2: disconnecting from duendesoftware.com is NOT OK --> initial tab1 is still alive. I wonder why disconnecting directly from duendesoftware.com identity server won't work.
  1. With XConnect identity server (my SPA is still in react-oidc v6.12.1), my configuration is different to achieve (almost) the same goal:
const configuration = {
  client_id: specificConfig.clientId,
  redirect_uri: `${origin}/authentication/callback`,
  silent_redirect_uri: `${origin}/authentication/silent-callback`,
  scope: 'api-client openid email phone profile offline_access',
  authority: <<<<<<<<<< XConnect >>>>>>>>>>,
  service_worker_relative_url: '/OidcServiceWorker.js',
  service_worker_only: false,
  silent_login_timeout: 1000,
  monitor_session: true,
};

==> With XConnect identity server, I haven't actually tested so far since the behaviour is more or less what I'm expecting, i.e.: disconnecting child frame when master web page has disconnected (I must wait the child frame one second to be disconnected though) .

ludojmj avatar May 16 '23 20:05 ludojmj

Hello @guillaume-chervet ! I have the same issue in the following case:

  1. Open tab1 with app1, that has clientId1 and login with user1.
  2. Open tab2 with app2, that has clientId2 and both of them are on the same SSO Server. Note: On the 2nd tab for app2 I am already logged in with user1, as expected from single sign on convention.
  3. Logout from tab2, from app2 and login with user2.

Error: On tab1 I am still logged in with user1. I was expecting to at least be logged out as per single sign on convention.

Is my expected behavior the correct one? Is this a problem with the axa-fr library or the SSO server implementation? Thanks!

DCosti avatar Feb 12 '24 13:02 DCosti

Hi @DCosti , to help you i may need more information. how does look like your oidc configuration? Which version are you using?

guillaume-chervet avatar Feb 12 '24 13:02 guillaume-chervet

Hi! I am using v7.13.6 and my config looks like this:

{
    client_id: env.REACT_APP_IDENTITY_CLIENT_ID,
    authority: env.REACT_APP_IDENTITY_AUTHORITY,
    redirect_uri: `${root}${AUTH.CALLBACK}`,
    silent_redirect_uri: `${root}${AUTH.SILENT_CALLBACK}`,
    scope: 'openid profile ' + env.REACT_APP_IDENTITY_SCOPE,
    refresh_time_before_tokens_expiration_in_second: 40,
    service_worker_relative_url: '/OidcServiceWorker.js',
    service_worker_only: true,
    monitor_session: true,
    token_renew_mode: TokenRenewMode.access_token_invalid
  }

I didn't explain in previous post my use case as it is. Here is the updated version:

  1. Open tab1 with app1, that has clientId1 and login with user1.
  2. Open tab2 with app2, that has clientId2 and both of them are on the same SSO Server. Note: On the 2nd tab for app2 I am already logged in with user1, as expected from single sign on convention.
  3. Close tab2.
  4. Logout from tab1, login with user2 (different from the one on step1).
  5. Open app2.

Error: On tab2 I am still logged in with user1.

Is my expected behavior the correct one? Is this a problem with the axa-fr library or the SSO server implementation? Thanks

DCosti avatar Feb 13 '24 06:02 DCosti