闲置时使用IdentityServer4 + oidc-client-js在Angular中注销用户 [英] Log out user when idle using IdentityServer4 + oidc-client-js in Angular

问题描述

在我的应用程序上，我具有超时功能，因此当用户闲置X分钟时，我想从Identity Server注销.

On my application I have a timeout feature so when the user is idle for X minutes I want to sign out from Identity Server.

我的第一个尝试是手动创建呼叫，而无需用户导航到注销控制器.

My first attempt was to manually create the call without having the user to navigate to the Logout controller.

此代码如下所示(Angular + TS):

This code looks like this (Angular + TS):

      this.userManager
        .createSignoutRequest({ id_token_hint: this.user && this.user.id_token })
        .then(signout_request => {

          this.http
            .get(signout_request.url, {
              responseType: 'text',
              headers: new HttpHeaders().set(InterceptorSkipHeader, '') // Ignores token http-interceptor
            })
            .subscribe(_ => {
              this.userManager.removeUser().then(_ => {
                window.location.href = '/timeout'; // Navigate to page that informs user has been timed out
              });
            });
        });

我可以看到它通过id_token_hint和正确的redirect_url到达了endsession端点，但是当我尝试重新登录到应用程序时，它给了我一个令牌，而无需再次要求我提供凭据，这不符合其目的.

I can see it goes to the endsession endpoint with an id_token_hint and the proper redirect_url, however when I try to log back into the application, it gives me a token without asking me for the credentials again which defeats its purpose.

oidc-client-js库中的常规签出功能可以正常工作.

The regular signout function from the oidc-client-js library works fine.

    this.userManager
      .signoutRedirect()
      .then(res => {
        if (!environment.production) {
          // console.log('Redirection to signout triggered.', res);
        }
      })

唯一的警告是，我想向用户提供其他信息，说明他们由于不活动而超时，我不确定如何.

The only caveat is that I would like to present the user additional information stating that they have been timed out due to inactivity and I'm not sure how.

此函数接受 post_logout_redirect_uri 和 state 作为参数，但是我尚未能够成功地将它们保存在我的IdentityServer上(我仍然是新手.净).

This function accepts a post_logout_redirect_uri and a state as a parameter but I haven't been successfully able to grab those on my IdentityServer (I'm still novice with .Net).

这是错误的方法吗?我是否可以使用/timeout路由之类的方法将用户导航回我的Angular应用程序以显示此消息?

Is this the wrong approach? Shall I navigate the user back to my Angular app using something like a /timeout route to show this message?

感谢您的输入

推荐答案

不支持以这种方式调用结束会话终结点AFAIK-由于它可能涉及呈现UI，因此它必须是顶级导航.像这样进行CORS请求时，不会发送任何Cookie.

Calling the end session endpoint in this way is not supported AFAIK - it must be a top level navigation since it may involve presenting a UI. No cookies will be sent when doing a CORS request like this.

一个更好的选择可能是在登录请求中使用 max_age 授权端点参数，并在生成的 id_token 中检查 auth_time 它不比您想要的年龄大.这样，只有在您提供的时间段内对新令牌进行了身份验证后，您才能获得一个新令牌，但是您不必担心显式注销用户.

A better option may be to use the max_age authorize endpoint parameter in the sign in request and checking auth_time in the resulting id_token to ensure it's not older than you want. That way you'll only get a new token if they authenticated within the time period you provide but you don't have to worry about explicitly signing the user out.

post_logout_redirect_uri 确实是注销用户后将用户带回应用程序内某个位置的正确方法.这些URI必须在客户端上预先注册.

post_logout_redirect_uri is indeed the correct thing to use to take the user back to somewhere within your app after signing out. These URIs must be pre-registered against the client.

这篇关于闲置时使用IdentityServer4 + oidc-client-js在Angular中注销用户的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！