[FEATURE] Allow to clear the user session without redirect

[ms-emp]

Description

I would like to force the user to re-login on app start even though the previous session has not expired yet.

Right now the only way to log out the user is by calling logout from AuthService which is doing a redirect in a browser window, but that's not what I want to do when the user opens the app, instead, I would like to clear the session from storage so the user must re-enter his credentials.

This will also resolve point 2 here

Proposed solution

Make removeUser from OIDCAuthManager public as well for ngx-auth.

Alternatives considered

No response

[Badisi]

Removing user from storage will not log him out from the identity provider (it will be only on the app level).
So if he still has an active session at the identity provider, the next login redirect will be instant and the user will be logged in again without re-entering any credentials.

[ms-emp]

That's exactly what I want, we can force re-authentication even when the session is still active.

See here: Force Reauthentication in OIDC

[Badisi]

Out of curiosity: why would you want to do that ?

Like I answered in #30:

If your concern is just making sure that the user would not be relogged in automatically then you can simply set retrieveUserSession to false.

This will do exactly what you want: user opens the app, logs in, closes the app, reopens the app and is now logged out (forcing him to click on login again), but he was not logged out from the IDP so popup comes and goes, and user is logged in again.

You can also couple that with loginRequired: true so that when user opens the app, he is always redirected automatically to the IDP (no need for him to click on a login button somewhere).

[ms-emp]

What I want is that - on mobile - every time the app opens we should start from a clean state (no previous auth session), now I'm not able to force signout from the identity provider. Still, at least I could clear the local user session, and force the user to re-authenticate (even if he didn't log out from the IDP) as I mentioned above.

retrieveUserSession only works for desktop not on mobile, as you answered here on mobile the user session is retrieved from storage.

But another main point is that by using the ngx-auth library, we should still have full control over the OidcUserManager (which extends UserManager from the oidc-client-ts) if the developer needs it for any reason, so really AuthService should make available to access (public) the underlying OidcAuthManager and OidcUserManager.

[Badisi]

loginRequired: true: will force the user to authenticate before bootstrapping the angular application

• if it does not then the app won't load
• meaning that (on mobile, or desktop via popup) you will have to handle such a case to avoid that the user is left on a blank page (see here for an example)

---

retrieveUserSession: true: will try to log back-in the user at startup

• it will trigger a silent renew (with iframe) on desktop

• and will simply load the user from the storage on mobile

  => if it is false it will sets the user to null and dispatch isAuthenticated: false

---

So yes, retrieveUserSession: false should do the trick in your case because unlike what you think it also works on mobile.

[Badisi]

Regarding the full control over OidcUserManager, I get your point and I'm opened to discuss it, but only on a per case basis and only if it makes sense.

This library was made with 3 things in mind:

1. Provide one single library to do both desktop and mobile authentication

   • when you are developing hybrid apps (ie. same app running on both desktop and mobile) it is absurd to have to install 2 different libs (with different implementations) to do the authentication. To date, I still don't know of any lib that's doing that (or maybe ionic auth connect but it's a paid option).

2. Make sure all the security standards and bests practices are respected so that the developer don't have to think about it

   • developers are often not security experts, so the lib takes care of doing what's best in current security recommendations

3. Make sure that a good level of security is kept

   • like I said, developers are usually not security experts, so the lib should guarantee a good level of security at all time. For that, the access control and settings have to be limited to make sure no one is bringing security holes into his own app.

[ms-emp]

retrieveUserSession: !Capacitor.isNativePlatform() did the trick.

[Badisi]

Glad to see you got it working ;-)

You can also import and use isNativeMobile directly from the lib (which will make sure your app is either a Capacitor app or Cordova app)