oidc-client
oidc-client copied to clipboard
AxaFrance
Won't disconnect current user if connected to another one in another tab
Issue and Steps to Reproduce
Issue
"react-oidc-redux": "^3.1.7": Even if disconnected in another tab, the current session is still alive in the actual tab (until the token times out). No such issue with "react-oidc-redux": "3.1.6".
Steps to Reproduce
New tab 1
- Link "protected1" or "protected2": connection to "Alice".
New tab 2
- https://demo.identityserver.io/Account/Logout
- https://demo.identityserver.io/Account/Login: connection to "Bob".
Back to tab 1
- Link "protected1" or "protected2": still being connected to "Alice".
- Won't switch to "Bob" session.
Expected
If disconnected in another tab, the current user must be disconnected in the working tab too.
Actual
Still connected to initial user even if another user has logged in in another tab.
Versions
"@axa-fr/react-oidc-redux": "^3.1.7",
Additional Details
Installed packages:
- "@axa-fr/react-oidc-redux": "^3.1.7",
- "oidc-client": "^1.11.5",
- "redux-oidc": "^3.1.7"
@ludojmj can you help for #611 issue ? It is missing in the redux and context readme
I didn't update anything : I took the project as is. Since I didn't update anything, yes I use InMemoryWebStorage. Next step: trying without InMemoryWebStorage.
Is there a solution to this problem? I have a similar situation. Help me solve it
I have the same problem here when I disconnect I'm always connected to another tab. I use InMemoryStorage.
"@axa-fr/react-oidc-context": "^3.1.7",
Hi @lomboboo which version are you using? I think i can implement it quickly in v5.
Hello, thanks for quick response. I am using v5.12.0. My scenario is a follows (and this is really the only thing missing for me to cover all my cases):
- login with Tab1 in ApplicationA
- login with Tab2 in ApplicationB
- logout or delete
idsrv(IdentityServer4) cookie from ApplicationB - in Tab1 I am still logged in, no sessiontermination events fired. We previously used another library which actually handled this case, but your solution I like your solution more. Would be nice if there would be an option to establish "monitoring" OP somehow and give an ability to handle this case.
Hi @lomboboo , thank you for your information.
Are you using serviceworker version? When do you need it.
I think it is not too hard to implement, but i need some times.
We used redux-oidc which is based on oidc-client-js. No, I don’t use service worker configuration, but can try if you think it should help. How long do you think this implementation can take?
Thank you for the information. I do not know about the time to do it. I have no idea how oidc client can do it because we are at client side. May be it use post message between tabs. I have to check how do oidc client do if you need app A oidc client be disconnected at the same time as application B oidc react. I need to use exactly the same mecanisum. Did you configure something special in oidc client to have this behavior? oidc react V3 was using oidc client but we dis not have the behavior.
I think i understood https://link.medium.com/OQ2r94gLirb I will continue to investigate and test that.
I don't think it has anything to do with the tabs specifically. You can logout from a different browser and it still emits logout from chrome tab. Basically, when you logout your idsrv cookie is deleted from all browsers/tabs, maybe there is a watch on that. I can take a look how it is triggered on the weekend.
@guillaume-chervet Hello, I've spent some time looking of how it is implemented in the oidc-client-js. It is actually defined by openid specs. Oidc-client-js implementation is actually very similar and handled by CheckSessionIFrame and SessionMonitor
Thank you very much for your help, i will try to implement that quickly.
I was figthing with mozilla but it is just a cookie problem in local development :]
I have to finish the pr (finish behavior and lot of clean refactor), but I got it how it works. I think I will need few more days. It is a great feature thank @lomboboo for your help !
Hi @lomboboo,
if you want you can make a try :
https://black-rock-0dc6b0d03-817.westeurope.1.azurestaticapps.net/
Published under version 6.0.0-alpha0 The breaking change is that it require a new silent_signin_uri property and the silent_redirect_uri need to be declared to OIDC server.
It seem stable, i need to clean and document it.
Thanks a lot for the effort! I am pretty busy at the moment, but will take a look closer probably next week
here a quick migration guide https://github.com/AxaGuilDEv/react-oidc/blob/295776fbfeabde78f6d39ae5326f3a7da5050a11/MIGRATION_GUIDE_V5_TO_V6.md
@guillaume-chervet First of all thanks for the awesome feature!
I was wondering is it possible to pass auth or oidc object to the sessionLostComponent? For example, I would like to wait 5s and call signinRedirect there. I saw how you implemented this in the examples, but I think it would be much cleaner solution.
Also, can you please explain silent_signin_uri and silent_redirect_uri a bit more?
Hi @lomboboo , if you have that screen it is that silentsignin won't work.
In my app i set up a button in order to signin again. I will send you a sample in a next message.
Does the logout work well for you?
Here a sample used in production https://github.com/AxaGuilDEv/ml-cli/blob/master/src/Ml.Cli.WebApp/ClientApp/src/Server/shared/Oidc/SessionLost.component.js sample
redirect_uri: manage callback inforation after login and must be declared to your OIDC server silent_signin_uri: route that trigger silent signin