angular-auth-oidc-client: Silent renew not working in a new tab

Description When a user is logged-in in my app and opens the same app in a new tab, oidcService returns isAuthenticated = false after hitting the timeout. Calling “login” logs in the user directly without authorization.

Logs

This happens when opening a new tab when the first tab is authorized.

This happens when refreshing a page which is authorized. The only warning: init check session: authWellKnownEndpoints is undefined

I have configured the frame CSP, the silent-renew.html file is added to the assets array etc. The silent renew frame is actually loading, but the checkSession iframe is empty.

Configuration

{
  "stsServer": "http://localhost:3000",
  "redirect_url": "http://localhost/account/callback",
  "client_id": "octavo",
  "response_type": "code",
  "post_logout_redirect_uri": "http://localhost/account/bye",
  "start_checksession": true,
  "silent_renew": true,
  "silent_renew_url": "http://localhost/silent-renew.html",
  "log_console_warning_active": true,
  "log_console_debug_active": true
}

Versions

Angular: 9.0.1
oidc-client: 10.0.15

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 17 (9 by maintainers)

Most upvoted comments

This has been refactored fixed and changed in version 11 which we plan to release in the next few days after testing

Greetings Damien

damienbod on Apr 30, 2020

Considering what I know about OIDC, the article about Secure authentication for SPAs by Dennis Stötzel and my personal experience, I believe the best option would be:

A new tab should automatically silent renew, if possible.
Logout of one of the tabs, should logout from the other tabs by using the check session. Once the STS cannot confirm the user is logged in, the tab clears the sessionStorage.

I believe this should be the default behaviour. Otherwise, it’d be possible for a user to log-in in tab1 with user A, logout from the STS, open tab2 and login with userB. Ultimately, the user will face issues on tab1 since the renew will fail at some point.

Thanks for your time. Please, let me know your thoughts and points of view too. 😃

GabrielGil on Mar 20, 2020

This was working in the previous release. It just cropped up in 10.0.15.

k-schneider on Mar 9, 2020

@k-schneider haven’t decided, I would like to support 8, but also what to move to Angular 9 for the development. But it would make sense to support V8 onwards I think. I also have a lot of V8 projects still.

damienbod on Mar 20, 2020

The new tab does bot have access to the session storage of the other tab. So you do not have access to any tokens received previously

remkoboschker on Mar 4, 2020

@GabrielGil thank you, I have read the article.

remkoboschker on Mar 20, 2020

I’d agree with @GabrielGil… a new tab should always try and login via silent refresh (if silent refresh is enabled) and your checksession functionality should be able to handle logging you out of all tabs when your session ends on the STS.

@damienbod what version of Angular will v11 target? Will it work with both Angular v8 and v9?

k-schneider on Mar 20, 2020

@remkoboschker no/ you would need to click login

damienbod on Mar 20, 2020

I plan to refactor this for version 11. I have 3 use cases, and not sure which is best, or if I should support all with configurtion:

A new tab is a new instance and so must login (login click required)
A user tab is a new instance and the app should automatically login (Silent renew from the beginning)
If I logout of tab 1 instance, should tab 2 be logged out, or not

What would you require?

damienbod on Mar 20, 2020

any update on this issue? will downgrade for now.

koo9 on Mar 16, 2020

You are right @k-schneider. I have checked my app just downgrading to 10.0.14 and I can confirm this issue is a regression. In a new tab, the iframe for silent renew just kicks in directly so users are finely authenticated.

Let me know if any clarification is needed or I can help in any way @damienbod.

GabrielGil on Mar 10, 2020