- ABP Framework version: v7.1
- UI type: Angular
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes / no
- Exception message and stack trace:
- Steps to reproduce the issue:"
Create new angular website using suite/cli.
- Start up website and login.
- Close the tab/browser
- Come back 1+ hours later and start up website
- You will be presented with the login screen,
- Click login and get into the site without entering credentials which is a severe security risk
Is there a way without custom code of getting logged out after closing the browser tab/browser? We do use an npm package called angular idle that looks for inactivity on the website and then will log you out. But if just you close the tab/browser you are still logged in and can come back the future without credentials.
We have tried using window.unload and removing cookies in localStorage. This appears to work, but there are some situations in which you will be prevented from logging in. using the auth service to logout does not work. probably becuae it is an async process and does not make the tab/browser wait before closing We have tried adding middleware to set lifetimes, that doesn't work
PreConfigure<OpenIddictServerBuilder>(builder =>
{
builder.SetAuthorizationCodeLifetime(TimeSpan.FromMinutes(1));
builder.SetAccessTokenLifetime(TimeSpan.FromMinutes(1));
builder.SetIdentityTokenLifetime(TimeSpan.FromMinutes(1));
builder.SetRefreshTokenLifetime(TimeSpan.FromDays(1));
});
We could write an angular interceptor and use o-auth service to invalidate the token. This will not work for mvc sites
Ultimately, we want something on the backend which will force a logout if the user has been idle for a period of time. We can see there is are cookies in localStorage: id_token_expires_at expiresAt with expiration times
We understand that the refresh token plays a role in this, but that we want a hard lifetime when it would not play a role.
7 Answer(s)
-
0
hi
Please remove the
offline_access
fromoAuthConfig
to disable therefresh token
.const oAuthConfig = { responseType: 'code', scope: 'offline_access MyProjectName' };
We could write an angular interceptor and use o-auth service to invalidate the token. This will not work for mvc sites
Did you select the
Remember me
when you login MVC website?The default authentication cookie of MVC is session. It will be invalid after closing/quitting the browser.
-
0
We removed offline_access which helped resolve the original issue. If you close the browser and walk away for more than an hour, you now must login again to access the site.
However, it creates another problem with the angular application. Once the IdentityToken expires, but before the AccessToken expires, the application automatically logs the user out and back in. If they are in the middle of a editing form when this happens, their data is lost as they are returned to the home page.
You have already user id in our test system at https://synergyz-test.otised.net if you want to see what happens for yourself.
We added the following code to the PreConfigureServices method in the HostModule so that we could iterate faster on the testing. The login succeeds, after 4 mins, the user is automatically logged out and back in without being prompted for a user / password.
PreConfigure<OpenIddictServerBuilder>(builder => { builder.SetAccessTokenLifetime(TimeSpan.FromMinutes(5)); builder.SetIdentityTokenLifetime(TimeSpan.FromMinutes(2)); });
-
0
Thanks scott7106
-
0
maliming,
Part of the reason we adjusted the lifetimes above was to make it easier to test. I have some of the code changes locally as I'm developing. I have the scope removed, but not the lifetime adjustments.
It appears that when we just remove the offline_access, we will get logged out after ~1 hour. Meaning even if you're in the middle of something, you get brought back to the screen where you need to enter your credentials. So the time does not "slide". Is there a way to "slide" (meaning while the user is active, they stay logged in, but when they go idle for 1 hour, they get logged out)?
-
0
hi
Angular does not support slide.
If the access token expires, it will use the refresh token(offline_access) to get a new one.
But I think you can customize this logic in angular, and I will ask angular colleagues.
-
0
hi,
I just want to make sure I understand what you said above. Are you saying that if our solution was an MVC/Blazor solution, this wouldn't be a problem? The slide would exist?
IE, because we are using an angular and .netcore solution, we do not get the slide.
-
0
You can listen the Browser's event https://developer.mozilla.org/en-US/docs/Web/API/Window/beforeunload_event and execute authService.logout() Also, another option is that you can use SessionStorage as auth storage instead of LocalStorage. (it provide OAuthStorage with a SessionStorage-compatible custom class)
{ provide: OAuthStorage, useClass: AbpLocalStorageService },
https://github.com/abpframework/abp/blob/3e66d25f6f3798b9a9362311ed2c93aa0e98e2c2/npm/ng-packs/packages/oauth/src/lib/oauth.module.ts#L62
https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage
Note: you should resource owner flow otherwise backend still store the refresh-token
https://docs.abp.io/en/abp/latest/UI/Angular/Authorization#resource-owner-password-flow