问题
On my application I have a timeout feature so when the user is idle for X minutes I want to sign out from Identity Server.
My first attempt was to manually create the call without having the user to navigate to the Logout controller.
This code looks like this (Angular + TS):
this.userManager
.createSignoutRequest({ id_token_hint: this.user && this.user.id_token })
.then(signout_request => {
this.http
.get(signout_request.url, {
responseType: 'text',
headers: new HttpHeaders().set(InterceptorSkipHeader, '') // Ignores token http-interceptor
})
.subscribe(_ => {
this.userManager.removeUser().then(_ => {
window.location.href = '/timeout'; // Navigate to page that informs user has been timed out
});
});
});
I can see it goes to the endsession endpoint with an id_token_hint and the proper redirect_url, however when I try to log back into the application, it gives me a token without asking me for the credentials again which defeats its purpose.
The regular signout function from the oidc-client-js library works fine.
this.userManager
.signoutRedirect()
.then(res => {
if (!environment.production) {
// console.log('Redirection to signout triggered.', res);
}
})
The only caveat is that I would like to present the user additional information stating that they have been timed out due to inactivity and I'm not sure how.
This function accepts a post_logout_redirect_uri and a state as a parameter but I haven't been successfully able to grab those on my IdentityServer (I'm still novice with .Net).
Is this the wrong approach? Shall I navigate the user back to my Angular app using something like a /timeout route to show this message?
Thanks for your input
回答1:
Calling the end session endpoint in this way is not supported AFAIK - it must be a top level navigation since it may involve presenting a UI. No cookies will be sent when doing a CORS request like this.
A better option may be to use the max_age authorize endpoint parameter in the sign in request and checking auth_time in the resulting id_token to ensure it's not older than you want. That way you'll only get a new token if they authenticated within the time period you provide but you don't have to worry about explicitly signing the user out.
post_logout_redirect_uri is indeed the correct thing to use to take the user back to somewhere within your app after signing out. These URIs must be pre-registered against the client.
来源:https://stackoverflow.com/questions/57607178/log-out-user-when-idle-using-identityserver4-oidc-client-js-in-angular