How to delete ‘Authorization Code Flow with PKCE’ session when browser is closed

Published

I have implemented the Authorization Code Flow with Proof Key for Code Exchange (PKCE) with Identity Server 4, an Angular 8 client and ASP.NET web API. The way I did that is by following the quick start here. It’s using silent refresh as well.

The happy flow works: the user can log on; and if he logs of explicitely, or closes the browser; the session ends and he needs to log in again.

There is however a case when this does not happen; more specifically if the ‘remember where I left off’ option in Chrome or Firefox is selected. In that case, the browser simply remembers the session and if the user starts the browser hours or days later, he is still logged on into the site. As the web site will be used on shared computers, this is a potential security issue if the user does not explicitely logs off.

I’m a bit puzzled on how to handle this case. I want the session to end when the browser is closed, always. Can someone point me in the right direction on how to achieve that with Identity Server 4?

Source: New feed
Source Url How to delete ‘Authorization Code Flow with PKCE’ session when browser is closed

Published
Categorized as angular, asp.net-core, authentication, identityserver4

Answers

There are a few things you could do to solve this issue:

  • Change the storage of the auth token to sessionStorage, this should be cleared after the browser is closed (I couldn’t find any proof that the remember where I left off setting would affect sessionStorage)
  • Explicitly log the user out when the browser tab or the whole browser is closed: Javascript auto logout code
  • Instead of using silent token renewal, do it by hand (this involves some extra code, implementing an Angular interceptor to ask for a new token when the existing one expires and resetting it). I think this is a workaround and would require significant extra effort, especially because you already use a pretty good client to handle everything around authentication and authorization for you.

Pascale Grady

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Still Have Questions?


Our dedicated development team is here for you!

We can help you find answers to your question for as low as 5$.

Contact Us
faq