oidc-client-js icon indicating copy to clipboard operation
oidc-client-js copied to clipboard

Published 20 hours ago verified publisher icon IdentityModel

docs: clearStaleState method doesn't actually clear local storage

Open lasfin opened this issue 6 years ago • 10 comments

I'm trying to clear localstorage manually:

const mng = new UserManager(config);
mng.clearStaleState().then(() => {
    console.log('clearState success');
}).catch((e) => {
    console.log('clearStateState error', e.message);
});

After that i see 'clearState success' at console, but localstorage is still fill with oidc.${hash} items. Could you provide any suggestions for fixing it? Thanks for your library.

lasfin avatar May 31 '18 09:05 lasfin

There is a created property which tells when the local storage got created, https://github.com/IdentityModel/oidc-client-js/blob/dev/src/State.js#L63 you can see why it is not removing that, it only removes the storage keys that are fallen in the criteria of when it actually got created,

vejandla avatar May 31 '18 22:05 vejandla

clearStaleState only cleans entries older than the configured age. perhaps this is why you are still seeing some entries?

brockallen avatar Jun 03 '18 14:06 brockallen

Any update?

brockallen avatar Jun 06 '18 13:06 brockallen

I think there is confusion here because the documentation for the userStore optional setting says that sessionStorage is the default, but the original question was about clearing localStorage. So, if you used the default storage for userStore but want to clear entries in localStorage using clearStaleState you need to pass an instance of WebStorageStateStore as the first argument to clearStaleState.

Something like await clearStaleState(new WebStorageStateStore({ store: window.localStorage })).

Do the signinSilent methods make entries into localStorage by default?

morganney avatar Oct 26 '18 22:10 morganney

Do the signinSilent methods make entries into localStorage by default?

For those, yes -- that's where the nonce/state is stored. localStorage is used (instead of sessionStorage) since in IE/Edge they flush sessionStorage when the browser changes hosts/domains. So in short, we need to use localStorage for the nonce/state piece to survive the round trip.

The user's session is in sessionStorage (by default).

brockallen avatar Oct 26 '18 22:10 brockallen

Thanks for the timely response.

Perhaps the documentation or samples could be updated to indicate that siginSilent methods make use of localStorage by default so making use of clearStaleState requires an argument of WebStorageStateStore pointed at localStorage to remove those entries (using default settings)?

It wasn't particularly clear and I only stumbled upon the right solution after seeing this thread and reading source code. Those entries can add up pretty quickly depending on how the expiration of your token is configured by the provider.

morganney avatar Oct 26 '18 22:10 morganney

Hi, I'd really like some clarification around this issue as I'm running into what I believe to be the same or at least similar problem that the docs arent helping much with:

I'm using the UserManager, and passing in settings with

userStore: new WebStorageStateStore({ store: window.localStorage })

The signin callback and silent renew both reference the same instance of the user manager and it's working fine as they are all using localStorage. After running into an unrelated bug that stopped oidc seeing the callback page, it ran in a loop making lots of incomplete calls, filling the local storage with oidc.${hash} items. Once fixed, I realised they were all staying there in local storage, nothing was clearing them up. After seeing this and wanting an automated solution, I decided to test calling clearStaleState() and realised this wasn't removing them. In the debug it seems to check them and something to do with every related key, but not remove them.

So what I'd like to know is: When is a state considered "Stale"? When should we actually be calling clearStaleState() ourselves, and when is it done automatically?

On the UserManager, the clearStaleState function can't take any parameters according to the types, so I assume It's taking the UserManager instances userstore's value. Is there a chance this is failing and It's trying to instead clear sessionStorage?

Thanks in advance

DMon19 avatar Nov 01 '19 17:11 DMon19

Call clearStaleState in your app, as it's not called automatically. The stale lifetime is a setting set via the options staleStateAge and defaults to 15m. This clears local storage entries from incomplete OIDC requests. This state is unrelated to a user session, which is kept in session storage by default.

brockallen avatar Nov 01 '19 19:11 brockallen

Perfect, Thanks :)

DMon19 avatar Nov 04 '19 14:11 DMon19

Thanks for the timely response.

Perhaps the documentation or samples could be updated to indicate that siginSilent methods make use of localStorage by default so making use of clearStaleState requires an argument of WebStorageStateStore pointed at localStorage to remove those entries (using default settings)?

It wasn't particularly clear and I only stumbled upon the right solution after seeing this thread and reading source code. Those entries can add up pretty quickly depending on how the expiration of your token is configured by the provider.

Hey, I want to know how the configuration of expiration of token is related in this case? The entries in my local storage got filled up preety quickly once the expiration time was set to 7 days for some testing purpose.

dev-end avatar Nov 02 '20 06:11 dev-end