Topology
An internal OIDC server (OP) using the IdentityServer4 implementation.
An internal back-end client (RP) proxy web server for our SPA app.
An internal REST server that the RP uses as a resource.
Authentication flow
Hybrid, with back-channel-enabled OP and RP.
The problem
The RP is in a “sign-in illusion” state. When a user signs in via the RP, the OP and RP correctly create the server and local session cookie for the user with default expiration times.
There was no refresh-token flow in place, so there was a scenario where the user’s access token expired and they were still hitting the resource server with the expired token. This correctly returned 401 to the user.
What happens if I did set the user’s OP sign-in session to expire, but the RP decides to keep the user locally signed in indefinitely?
I thought of a few possible solutions:
Require every route to be challenged so that the redirect to sign-in flow kicks in.
Back-channel logout flow.
Option 2 seems the best considering our architecture, but I am wondering if it’s over-engineering. I really just need the RP to sign out its local user when said user has been signed out by the OP.
Front or back channel signout is the correct way to do it in my opinion.
Bare in mind though that it will only kick in if the user explicitly signs out.
You can also use session monitoring to be instantly notified if a user’s session changes and then take suitable action. Note however that the default implementation of this does not align the expiry of the session ID cookie with the main authentication cookie.