oidc-client-ts icon indicating copy to clipboard operation
oidc-client-ts copied to clipboard
verified publisher icon authts

Token not expiring when browser is closed

Open shipswake opened this issue 10 months ago • 3 comments

We have a rather odd occurrence here

We are using refresh tokens to renew the token.

Steps to reproduce:

Set the token and refresh token lifetimes short (300)

Login

Close the browser

Wait until the token and refresh token have expired

Open the browser

The user is still logged in and there is no redirect

Any thoughts on what we have missed?

shipswake avatar Feb 20 '25 18:02 shipswake

@shipswake - if you tweak the token lifetimes in keycloak in the sample repo, are you able to reproduce it there as well?

zach-betz-hln avatar Feb 20 '25 18:02 zach-betz-hln

Could be the signin silent with the hidden iframe. Even if your tokens have expired, if the user still has an opened session at the idp, this technic allows to contact the idp and get the user’s tokens using his session cookie

Badisi avatar Feb 20 '25 20:02 Badisi

Unable to reproduce with the sample repo Any thoughts on what setting can cause this?

shipswake avatar Feb 21 '25 16:02 shipswake