Error status handling for OIDC session management #1355
Comments
|
I think you have it right -- the library won't know why there's an error and the spec doesn't help with knowing if you should keep polling or not, so this library stops the polling. IIRC there's an API to start/stop, so you might be able to reach thru the UserManager and find the object you need to re-start the polling. |
|
Actually, my problem is not that I can't start or restart the polling. There is a configuration parameter to continue polling in the error case (which, by the way, is not documented, I found the parameter "by accident" as I was searching through the code to find a solution for my issue). My problem is that, in case of an error, I want to be notified so I can take further action such as logging the user out. The issue here is that in case of an error, and as I have already stated the cause for an error is very likely either a security breach or a severe programming error on the OP side, I would like to be able to take further action such as logging out the user. Of course, If you want I can make a suggestion via pull request if you accept contrubutions (I haven't checked on that to be honest). |
Locally or also at the OP? In either case, that sounds dangerous. If you search the archives there are a few issues where people are reporting that "error" is returned for completely unrelated reasons. The main one I can think of is a browser plug in that was hammering all iframes with postMessage, which produced "error". |
Well, in my case probably at both. I understand what you mean by dangerous. That is why I suggest that the library could provide an event so the client can decide what needs to be done. This "error status event listening" could additionally be "guarded" by a setting that is set to |
|
Ok, so you're looking for an error event on error. Got it. |
|
Yes, that is exactly what I am looking for. And like I said, I can implement a suggestion and send a pull requerst if you want. |
|
You can send a PR, but my time is strapped to even review. |
|
Ok, I will implement something and commit via pull request. I am sure that others will also profit from this - this is something that everyone using OIDC session management should potentially need even though it is not explicitly defined by the specification. |
I am using oidc-client-js in an enterprise SSO and SLO environment. We have implemented SLO using the OIDC session management process as defined here: https://openid.net/specs/openid-connect-session-1_0.html by providing the session state and the required OP iFrame. This is the part that works, the statuses "changed" and "unchanged" are propagated as needed.
The problem is that in case of the "error" status the whole message propagation mechanism stops. Even though the specification does not explicitly define the behaviour that should result from the "error" state I would have expceted that this library would provide an event similar to the available
userSessionChangedor other events so that the client can react to this error.As the cases that lead to the "error" state are things like invalid client ID, invalid session state in the sense of e.g. being
nullor theoriginbeing wrong which are all very security relevant (they basically imply that e.g. the source has been manipulated somehow, the session state generation mechanism on the OPs side does not work etc.), I would have expcted some way to handle this "error" state.If I have misunderstood something or have overseen something I would be very happy if I could get some hints as how to I can achieve the described use case.
The text was updated successfully, but these errors were encountered: