Angular-auth-oidc-client: When session state becomes blank app doesn't receive any event

I'm also having trouble getting isAuthenticated$ to update correctly based on check session using code flow.
What is the correct way to check if the user is still logged in once the "changed" event arrives? I can't see any relation between isAuthorized$ and the check session response. I can get checkSessionChanged$ to fire if I log out from a different tab and I only get the "session_state is blank" error once the token expires.

The only "workaround" I found was

        this.oidcSecurityService.checkSessionChanged$.subscribe((x) => {
          this.oidcSecurityService.logoffLocal();
          this.oidcSecurityService.checkAuthIncludingServer().subscribe((x) => {
            console.log('Auth', x);
          });
        });

But that feels a bit hacky...is that really the way it should be done?

Also: Is there a way to poll for a session? Is it a good idea to do checkAuthIncludingServer every minute? I don't think the checksession endpoint works when logged out, right?

@WolfspiritM, thanks for your interest!
I want to clarify one part of your reply:

I can get checkSessionChanged$ to fire if I log out from a different tab

I don't understand how did you achive it.

I'm using authorization code flow. After success authorization on my IS and code exchange on my client app I'm subscribing on all avaliable events (observeble objects) from angular-auth-oidc-client library:

• OidcSecurityService.checkSessionChanged$
• OidcSecurityService.isAuthenticated$
• OidcSecurityService.userData$
• PublicEventsService.registerForEvents()

Then, if I do logout in one browser tab other tabs (which already were opened) doesn't receive any events (values) which would indicate that the user has been logged out. It will simply log the next message:
OidcSecurityCheckSession pollServerSession session_state is blank

Here is my console log:

So as you can see any observable doesn't receive any event after logout from different browser tab.

P.S.: I know that if I reload that page App will understand that user isn't authenticated but it shoud be determined dynamically by js.

Hi @Expelz,

where do you store the tokens and other authentication data? Do you set storage: localStorage in the config? Or do you use your own implementation of AbstractSecurityStorage?

Anyway, it looks that the storage you use is shared between browser tabs. One possible workaround for you is to use sessionStorage instead. It is not shared between tabs and when you log off from the app in one tab, session_state is not deleted in the second tab, so checkSessionChanged$ emits true.

But I would also like to know the answer to the original question.

I assume it describes the situation when storage shared between tabs (e.g. localStorage) is used. When the same app runs in two tabs and user logs off in one tab, the app in the second tab does not get any event from checkSessionChanged$ observable. In version 10, it used to get this event.

@damienbod @FabianGosebrink Is there any reason why this line was removed in version 11? In my opinion, it should be there.
https://github.com/damienbod/angular-auth-oidc-client/blob/1df7d5ec07f89862bedeee9f3dfad27a1b82c8fb/projects/angular-auth-oidc-client/src/lib/services/oidc.security.check-session.ts#L110

Hello @damienbod, @valdian
I've prepared a PR #896 with the fix. Please review and consider to include it into the next release.