Skip to content

Check session support in oidc-client-js

August 12, 2016

Single sign-out is a tricky business. For JavaScript-based applications OIDC provides the session management specification as a mechanism to be notified when the user has signed out or changed their login status at the OpenID Connect provider. It’s a somewhat confusing to read, and even more so to implement. For developers using IdentityServer, we always had samples for this which would help get this support into developers’ hands. But the samples were only that, samples.

Today I’m happy to announce that oidc-client-js (our OIDC/OAuth2 protocol library for browser-based JavaScript application) now supports the session management specification. This means one less piece of security plumbing you need to keep track of in your JavaScript-based applications.

Internally the UserManager will create the RP iframe necessary to poll the user’s session_state cookie. When the user’s status changes at the OP it will also attempt to silently re-query the OP to see if the user is still really signed in, or if they’re really signed out. Once it has determined that the user is really signed out of the OP, an event is raised letting your application know that the user has performed a signout. At this point, it’s up to your application to decide what to do. Here’s a snippet of registering for the event:

var settings = {
    authority: "https://localhost:44333/core",
    client_id: "js.usermanager",
    redirect_uri: "https://client.com/callback.html",
    response_type: "id_token token",
    scope: "openid profile email read write",
    silent_redirect_uri: "https://client.com/silent_renew.html"
};
var mgr = new Oidc.UserManager(settings);

mgr.events.addUserSignedOut(function () {
    log("user signed out");
});

Feel free to try it out (npm, github) and let us know how you like it. Thanks!

3 Comments leave one →
  1. Gary Mullen-schultz permalink
    May 12, 2017 3:39 pm

    Hey. Any plans to add support for any keys beyond RSA? My server is currently configured to use HS512, and I can’t get them to change.

    • May 12, 2017 3:42 pm

      You really want to use a symmetric key from your JavaScript client?

      • Gary Mullen-Schultz permalink
        May 12, 2017 3:57 pm

        Sorry, didn’t notice this was the “-js” thread. This is in regard to the C# client code.

        Thanks, Gary

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: