Angular-oauth2-oidc: Session check for code flow does not work
Describe the bug
Hi,
I'm implementing code flow on angular and is trying to get the check session to work.
I have set sessionChecksEnabled to true and I get a warning message in the console saying sessionChecksEnabled is activated but there is no session_state.
I've scanned through initCodeFlow function and found out that storeSessionState were never called, does that mean session check is only for implicit flow?
zhteh
All 6 comments
I assume this was done because refreshing a token is completely detached from your login state on the authority.
I've found you can work around this by manually extracting the session_state querystring parameter and inserting it into OAuthStorage prior to calling the configure method. If you do this (and set sessionChecksEnabled to true) then the iframe is created as expected and functions correctly.
I'm not sure why this library couldn't do this if sessionChecksEnabled was explicitly set to true for code flow?
k-schneider
on 21 Jan 2020
@k-schneider May I know how to manually extract this session state? I am facing the same issue. Or is there any other way to do single logout?
sazalihisham88
on 20 Feb 2020
I can confirm that if I start the most recent commit in my Code Flow branch in my sample repository that session checks no longer work, where they _do_ work with master that has implicit flow currently.
Steps to reproduce:
- Clone and check out this commit
npm cing serve --open- Keep your app open, and in another tab go to https://demo.identityserver.io/grants and click "log out" at the top.
- Actual result: Angular app doesn't change
- Expected: Angular app sees the logout
If you do the same steps with the master branch using implicit flow, you do get logged out in Angular after step 4.
As far as I know, I'd consider this a _bug_, since the session checks spec doesn't care with which flow you logged in?
jeroenheijmans
on 8 Mar 2020
Sorry for the late reply, just getting back from an extended vacation. Here's how you could hack around the problem if you really need to (haven't tested this in the latest release):
private initSessionChecks(): void {
// The oidc lib does not support session checks with code flow (yet)
// but we can work around this limitation by manually setting
// the storage key if a session_state querystring value is available
if (this.authConfig.sessionChecksEnabled && typeof window !== 'undefined') {
let queryString = window.location.search;
if (queryString.charAt(0) === '?') {
queryString = queryString.substr(1);
}
const parts: any = this.urlHelper.parseQueryString(queryString);
if (parts && parts.session_state) {
this.authStorage.setItem('session_state', parts.session_state);
}
}
}
In this example this.urlHelper is UrlHelperService from angular-oauth2-oidc. You need to have this code execute before you let the OAuthService do its "try login".
k-schneider
on 9 Mar 2020
Thanks for this info. It will work with version 9.1 which lands soon.
manfredsteyer
on 22 Mar 2020
Thanks for this info. It will work with version 9.1 which lands soon.
I am on version 10 and still getting this warning!
gunjankhanwilkar
on 10 Dec 2020
Related issues
prmces
路
4Comments
jeroenheijmans
路
3Comments
jeroenheijmans
路
4Comments
CharlyRipp
路
3Comments
zulander1
路
4Comments
Most helpful comment
Sorry for the late reply, just getting back from an extended vacation. Here's how you could hack around the problem if you really need to (haven't tested this in the latest release):
In this example
this.urlHelperisUrlHelperServicefromangular-oauth2-oidc. You need to have this code execute before you let the OAuthService do its "try login".