{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 聊天终结者 的问题《How should handle users logout use case when multi》','https://www.manongdao.com/q-806071.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I am using angular-oauth2-oidc with Identity Server 4.
Users need to Login via OpenId Connect Implicit Flow. My Id and Access token are stored in the web browser localStorage.
When user opens multiple browser tabs and then user logs out from one of the tabs, how should I handle rest of the tabs?
I have tried to catch session_terminated events , and they try to log the user out. However, it does not redirect the user back to the login page.
this.oauthService.events.filter(e => e.type ==='session_terminated')
.subscribe(e => {this.oauthService.logout();})
any suggestions? thanks
I've experienced a similar issue: using
angular-oauth2-oidcwith default storage (sessionStorage) leads to the behavior that if a user opens a new Tab (Tab B), he is being logged-in again with a new Token. When he logs-out on Tab A, the token stored in sessionStorage of Tab B is still there, of course.Using localStorage has the disadvantage that the token is persisted even if the browser is closed (kinda "keep me logged in").
What I've done to overcome this is using an own OAuthStorage that internally uses sessionStorage but if the user logs out, it sends an event to all other open Browser-Tabs and triggers a clearing up of the session-storages there.
See the accroding gist
Interesting. It was on my to do list to see how this works with the library anyways.
I had already created a dedicated playground example repo that was perfect for testing this. What I found was that there are two distinct scenarios:
Only in the first scenario do you get a
session_terminatedevent. In the second scenario (which you seem to have) you get asession_errorevent in the second tab because the first tab:You can see as much in these screencaptures:
Scenario 1: log out explicitly in a third tab
Scenario 2: log out from the app
So I think your solution is to also hook into
session_error, or something similar.Footnote: thinking some more about the above, I reckon that other workarounds might also be possible by listening to
localStorageevents, and notice when theaccess_tokenis being cleared by another tab.This is what the OIDC session management spec is all about. You can be notified on the client side when their IDP session changes/ends and then react accordingly.
http://openid.net/specs/openid-connect-session-1_0.html#ChangeNotification
Works well, doesn't have any network overhead and gives you full control over what to do when the condition is detected.