闲置时使用IdentityServer4 + oidc-client-js在Angular中注销用户 [英] Log out user when idle using IdentityServer4 + oidc-client-js in Angular
问题描述
在我的应用程序上,我具有超时功能,因此当用户闲置X分钟时,我想从Identity Server注销.
On my application I have a timeout feature so when the user is idle for X minutes I want to sign out from Identity Server.
我的第一个尝试是手动创建呼叫,而无需用户导航到注销控制器.
My first attempt was to manually create the call without having the user to navigate to the Logout controller.
此代码如下所示(Angular + TS):
This code looks like this (Angular + TS):
this.userManager
.createSignoutRequest({ id_token_hint: this.user && this.user.id_token })
.then(signout_request => {
this.http
.get(signout_request.url, {
responseType: 'text',
headers: new HttpHeaders().set(InterceptorSkipHeader, '') // Ignores token http-interceptor
})
.subscribe(_ => {
this.userManager.removeUser().then(_ => {
window.location.href = '/timeout'; // Navigate to page that informs user has been timed out
});
});
});
我可以看到它通过id_token_hint和正确的redirect_url到达了endsession端点,但是当我尝试重新登录到应用程序时,它给了我一个令牌,而无需再次要求我提供凭据,这不符合其目的.
I can see it goes to the endsession endpoint with an id_token_hint and the proper redirect_url, however when I try to log back into the application, it gives me a token without asking me for the credentials again which defeats its purpose.
oidc-client-js库中的常规签出功能可以正常工作.
The regular signout function from the oidc-client-js library works fine.
this.userManager
.signoutRedirect()
.then(res => {
if (!environment.production) {
// console.log('Redirection to signout triggered.', res);
}
})
唯一的警告是,我想向用户提供其他信息,说明他们由于不活动而超时,我不确定如何.
The only caveat is that I would like to present the user additional information stating that they have been timed out due to inactivity and I'm not sure how.
此函数接受 post_logout_redirect_uri
和 state
作为参数,但是我尚未能够成功地将它们保存在我的IdentityServer上(我仍然是新手.净).
This function accepts a post_logout_redirect_uri
and a state
as a parameter but I haven't been successfully able to grab those on my IdentityServer (I'm still novice with .Net).
这是错误的方法吗?我是否可以使用/timeout路由之类的方法将用户导航回我的Angular应用程序以显示此消息?
Is this the wrong approach? Shall I navigate the user back to my Angular app using something like a /timeout route to show this message?
感谢您的输入
推荐答案
不支持以这种方式调用结束会话终结点AFAIK-由于它可能涉及呈现UI,因此它必须是顶级导航.像这样进行CORS请求时,不会发送任何Cookie.
Calling the end session endpoint in this way is not supported AFAIK - it must be a top level navigation since it may involve presenting a UI. No cookies will be sent when doing a CORS request like this.
一个更好的选择可能是在登录请求中使用 max_age
授权端点参数,并在生成的 id_token
中检查 auth_time
它不比您想要的年龄大.这样,只有在您提供的时间段内对新令牌进行了身份验证后,您才能获得一个新令牌,但是您不必担心显式注销用户.
A better option may be to use the max_age
authorize endpoint parameter in the sign in request and checking auth_time
in the resulting id_token
to ensure it's not older than you want. That way you'll only get a new token if they authenticated within the time period you provide but you don't have to worry about explicitly signing the user out.
post_logout_redirect_uri
确实是注销用户后将用户带回应用程序内某个位置的正确方法.这些URI必须在客户端上预先注册.
post_logout_redirect_uri
is indeed the correct thing to use to take the user back to somewhere within your app after signing out. These URIs must be pre-registered against the client.
这篇关于闲置时使用IdentityServer4 + oidc-client-js在Angular中注销用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!