Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign-out no longer triggers consistently on all open tabs to end session #49

Open
martyngroberts opened this issue Jul 14, 2021 · 4 comments
Open

Sign-out no longer triggers consistently on all open tabs to end session #49

martyngroberts opened this issue Jul 14, 2021 · 4 comments

Comments

@martyngroberts
Copy link

martyngroberts commented Jul 14, 2021
edited
Loading

It is observed that if a user has two authenticated sessions running on separate tabs for an app integrated with Angular SDK (3.2.0), logging out will not consistently end the session correctly on the other tab. On some occasions the other tab will not detect the logout and on other occasions the page reload happens quicker than the first tab completing logout and access token is actually renewed, keeping session alive in both tabs.

This has been verified using the following;

  • sample app for SPA (using OIDC PKCE flow)
  • Angular SDK 3.2.0
  • "okta hosted login" flow to hosted signin widget
  • "offline_access" and refresh token rotation in place

Steps to recreate

  1. Open browser tab and sign into demo app (via redirect to hosted signin page and back)
  2. Open second tab and sign into demo app (picks up existing session)
  3. Click logout.

Repeat this process multiple times. One of three outcomes happens inconsistently, suggesting race condition;

  1. Both apps are logged out and return to default public route
  2. One app logs out however other app does not refresh (however interaction shows that app is signed out)
  3. One app logs out however refresh on other tab happened sooner and actually refreshes the access token

Note that this behaviour has also been observed by another team who implemented the SDK, here is a video
@oleksandrpravosudko-okta
Copy link
Contributor

Thanks for the repro steps and a demo @martyngroberts.

There is a chance this issue has a same root cause as #47 as cross-tab storage sync is enabled by token service which does not currently start during login redirect.

Internal Ref: OKTA-412078

@martyngroberts
Copy link
Author

hi @oleksandrpravosudko-okta i can confirm the issue still exists in v3.2.1

I have recorded the behaviour in this video - https://www.loom.com/share/4e1f8e6e538b4503ad61343e90b318bc

The key thing to observe is that whilst a initiate logout on one tab, you will see the first tab carries out a refresh of the token and hence both tabs remain in authenticated state. This can be replicated with fresh session in incognito.

@tyfrth
Copy link

tyfrth commented Jul 30, 2021
edited
Loading

FWIW I cannot reproduce this behavior in 3.2.1 nor 3.2.2 using neither the okta-hosted-login nor custom-login samples: https://github.com/okta/samples-js-angular All tokens in local storage are cleared on logout across all tabs. Chrome on Mac.

@oleksandrpravosudko-okta
Copy link
Contributor

oleksandrpravosudko-okta commented Aug 4, 2021
edited
Loading

I was able to reproduce this issue with 3.2.2 - thanks for catching this @martyngroberts!

A permanent fix for this issue will likely require a breaking change in our SDK(s) - we intend to put it into next major release.
For now it is recommended to use a custom onAuthRequired function as a workaround:

async function onAuthRequired(oktaAuth, _) {
  window.location.assign('/login');
}

UPD: snippet changed to navigate to custom login page instead of doing sign out

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tyfrth @martyngroberts @oleksandrpravosudko-okta