I am currently implementing SSO on multiple applications using OIDC. I am not sure how to handle single-sign-out in a Single-Page App (SPA) for token-based authentication.
Consider two applications. Application A is a standard Spring MVC application that uses the OAuth2 Authorization Code flow, and application B is a SPA using the implicit flow. Both applications use Okta for SSO, so if a user signs into one application, they have an active Okta session, and if they sign out of the app, the Okta SSO session is terminated.
If a user has signed into Application A, when they navigate to Application B they are automatically signed in via SSO, which is to be expected. However, If the user logs out of Application A and then navigates to application B, currently app B still loads and allows access to apis because it has a valid OAuth2 access token stored in browser local storage. I would like application B to require the user to re-authenticate before making any other requests.
What is the recommended approach for doing single sign out in a SPA, since there is no way to have the identity provider send a ‘signout’ request to a server endpoint?
A couple of possible solutions I have thought of are:
- Create one-time-use access tokens that must be re-generated with every request.
- Check for an active IDP session any time Application B wants to make a request to our apis.
I am hesitant to use either of those two solutions because they require an additional request to the IDP any time the user interacts with the app. Are the any other strategies to solve this problem?
As an additional note, I am familiar with this OIDC draft spec (Draft: OpenID Connect Session Management 1.0 - draft 30) which brings up the notion of front-channel logout. I would love to be able to do something like this using the okta logout_redirect_uri value in an application’s profile. Has anyone had success implementing this?