Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session change not fired if identity token does not contain a sid claim #1242

Closed
bachratyg opened this issue Nov 11, 2023 · 3 comments · Fixed by #1247
Closed

Session change not fired if identity token does not contain a sid claim #1242

bachratyg opened this issue Nov 11, 2023 · 3 comments · Fixed by #1247
Labels
breaking change bug Something isn't working help wanted Extra attention is needed

Comments

@bachratyg
Copy link
Contributor

See here:

oidc-client-ts/src/SessionMonitor.ts

Line 156 in b7266eb

if (session.sid === this._sid) {

If there is no sid claim in the id token then undefined === undefined evaluates to true and the userSessionChanged event is never fired.

The sid claim is not part of the session management spec, it is only defined in frontchannel logout spec and it's optional. This claim should not be checked at all or at least the user session should be assumed to have changed when the claim is not present.
@pamapa pamapa added the bug Something isn't working label Nov 13, 2023
@pamapa
Copy link
Member

pamapa commented Nov 13, 2023

Thanks for reporting, would be nice when you provide a fix for this.

@pamapa pamapa added the help wanted Extra attention is needed label Nov 13, 2023
@bachratyg
Copy link
Contributor Author

I can help. There are a couple of options to handle this:

  1. Check the sub claim, ignore the sid claim. This is a straightforward fix but a behavioral breaking change. It might be ok considering the current behavior is incorrect.
  2. Check the sub claim, check the sid claim but only fire the event if it's either different or missing. This avoids the break if the sid is always present, but still causes false alarms when the presence of the sid varies e.g. by requested scope.
  3. Opt-in to 1 by exposing a new property on UserManagerSettings e.g. checkSessionIgnoreSid?: boolean. This would avoid the break but might not be optimal for consumers to discover.
  4. A generalization of 3: configure which checks to make and as a consequence which events to fire. This is a more involved change.

Option 4 can also tackle the issue that the callback hits the OP via querySessionStatus (a silent sign-in with no scopes) to determine which event to fire. If the event handler(s) are going to refresh the profile/tokens anyway (e.g. signinSilent) or just kick out the user, then this is redundant load on the OP. The fix would be an opt-in to forego all checks and always fire the userSessionChanged event without any processing, never the other two. For example angular-auth-oidc-client does this, it's entirely up to the user how to handle the change.

@pamapa
Copy link
Member

pamapa commented Nov 14, 2023
edited
Loading

@bachratyg Thanks for taking interests here, currently is a good time for a breaking change (i am planing v3), so lets focus on following the specs and doing correctly without fallback to old behavior.

@bachratyg bachratyg mentioned this issue Nov 14, 2023
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking change bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: UserSessionChanged should be raised regardless of sid claim. Sid… bachratyg/oidc-client-ts
2 participants
@bachratyg @pamapa