I have implemented the Authorization Code Flow with Proof Key for Code Exchange (PKCE) with Identity Server 4, an Angular 8 client and ASP.NET web API. The way I did that is by following the quick start here. It’s using silent refresh as well.
The happy flow works: the user can log on; and if he logs of explicitely, or closes the browser; the session ends and he needs to log in again.
There is however a case when this does not happen; more specifically if the ‘remember where I left off’ option in Chrome or Firefox is selected. In that case, the browser simply remembers the session and if the user starts the browser hours or days later, he is still logged on into the site. As the web site will be used on shared computers, this is a potential security issue if the user does not explicitely logs off.
I’m a bit puzzled on how to handle this case. I want the session to end when the browser is closed, always. Can someone point me in the right direction on how to achieve that with Identity Server 4?
Source: New feed
Source Url How to delete ‘Authorization Code Flow with PKCE’ session when browser is closed