Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attemptSilentLogin doesn't take into account Auth0 session #630

Closed
5 tasks done
vafada opened this issue Aug 16, 2024 · 2 comments
Closed
5 tasks done

attemptSilentLogin doesn't take into account Auth0 session #630

vafada opened this issue Aug 16, 2024 · 2 comments

Comments

@vafada
Copy link

vafada commented Aug 16, 2024

Checklist

  • I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

the attemptSilentLogin will not do a silent login if req.oidc.isAuthenticated() returns true

req.oidc.isAuthenticated() will return true if the appSession (client side cookie) is still valid (cookie not yet expired)

the problem is if the underlying Auth0 Session (server side) already expired, the user isn't really authenticated anymore even though req.oidc.isAuthenticated() returns true

Describe the ideal solution

maybe the attemptSilentLogin function should also check if the Auth0 Session (server side) is still valid

Alternatives and current workarounds

the workaround right now is to make the session cookie expires duration shorter than the Auth0 Session (server side)

so calls to attemptSilentLogin middleware will actually trigger a silent login instead of just doing next()

Additional context

No response
@vafada
Copy link
Author

vafada commented Aug 16, 2024

maybe this block:

express-openid-connect/middleware/attemptSilentLogin.js

Lines 52 to 56 in e999318

if (
!silentLoginAttempted &&
!req.oidc.isAuthenticated() &&
req.accepts('html')
) {

should be

if (
      !silentLoginAttempted &&
      (!req.oidc.isAuthenticated() || req.oidc.accessToken.isExpired()) &&
      req.accepts('html')
    ) {

@nicosabena
Copy link

IMO req.oidc.isAuthenticated() should return true if the app session is still valid, even if you terminated your Auth0 session. The application session is independent of the Auth0 session, and having the application session continue after the Auth0 session expires is a valid use case.

If you want the application session to be terminated when the Auth0 session ends, then you should enable back channel logout so that Auth0 can send a signal to the app and terminate the session.

Note that BCLO needs to be configured both on the Auth0 side and on the application side. See https://github.com/auth0/express-openid-connect/blob/master/examples/backchannel-logout.js and https://github.com/auth0/express-openid-connect/blob/master/examples/backchannel-logout-custom-query-store.js for configuration examples.

@vafada vafada closed this as not planned Won't fix, can't repro, duplicate, stale Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vafada @nicosabena