Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

session_terminated in Chrome Incognito

See original GitHub issue

When I login to my site from a Chrome incognito session, I get a session_terminated even almost immediately.
Firefox InPrivate session works fine. Works fine from localhost in any browser - only failing in deployed test or production site.

I’m stumped 😕

OS: windows 10
Browser: Chrome 86 (probably some earlier versions too)
Angular 10.1 but was also with earlier 8+ versions.
angular-oauth2-oidc: ^10.0.3
Implicit flow to my own Identity Server

Config (environment):

         this._siteUrl = window.location.origin; // `${window.location.protocol}//${window.location.host}`;

        this.oidcConfig = <AuthConfig>{
            issuer: this.baseIdentityUrl,
            redirectUri: this._siteUrl + '/authenticate',
            postLogoutRedirectUri: this._siteUrl,
            clientId: 'barXui.client.js',
            scope: 'profile openid barXui.api.v1 payment.api.v1',
            silentRefreshRedirectUri: this._siteUrl + '/assets/silentrenew.html',
            useSilentRefresh: true,
            requireHttps: this.baseIdentityUrl.startsWith('https'),
            sessionChecksEnabled: true
        };

App Module:

providers: [
     ...
     { provide: OAuthStorage, useFactory: storageFactory }
    ...
]

export function storageFactory(): OAuthStorage {
  return sessionStorage;
}

Authentication Service:

    const urlOrigin = window.location.origin;
    // console.info('Using redirectUri:', `${urlOrigin}/authenticate`);

    /*
      The setup order here is important.
      See https://github.com/manfredsteyer/angular-oauth2-oidc/issues/724 and
      See https://github.com/manfredsteyer/angular-oauth2-oidc/issues/722
    */
    // CRITICAL SECTION STARTS *********************************
    this.oauthService.configure({
      ...environment.oidcConfig,
      sessionChecksEnabled: true,
      redirectUri: `${urlOrigin}/authenticate`,
      postLogoutRedirectUri: `${urlOrigin}`
    });

    // Listen for token expiry and attempt to silently refresh
    this.oauthService.setupAutomaticSilentRefresh();

    this.oauthService.tokenValidationHandler = new JwksValidationHandler();

    // Parse the fragment in the URL if present, and emit to listeners once parsed.
    this.oauthService.loadDiscoveryDocumentAndTryLogin({
      disableOAuth2StateCheck: true,
      onTokenReceived: token => {
        this.onTokenGranted.next(token);
        // Announce the status of the authentication
        this.isAuthenticated.next(true);
      }
    });
    // CRITICAL SECTION ENDS *********************************

    // also set during /authenticate callback
    // needed by hasPermission
    this.policies.subscribe(pols => {
      this._policies = pols;
    });

    // If the user logged out on another window, this will be detected as a 'session_terminated'
    this.oauthService.events.pipe(
      filter(event => event.type === 'session_terminated')
    ).subscribe(() => {
      console.log('Session Expired.');
      // this.oauthService.logOut(false);
    });

Issue Analytics

State:
Created 3 years ago
Comments:13

Top GitHub Comments

1reaction

jeroenheijmanscommented, Mar 5, 2021

Thanks for sharing @mlbiche.

I run applications on subdomains, and cookies are shared as expected. One caveat might be that it’s subtly different perhaps, given the “Public Suffix List”. For example subdomains of github.io might not be considered trusted siblings and not share cookies.

If you run into cookie issues with regular old *.foobarexample.com subdomains I’d expect something else is at play, preventing cookies from being sent along.

0reactions

mlbichecommented, Mar 5, 2021

@jeroenheijmans Last but not least comment, which clarifies that my issue seems not to be related to the module but it may help other devs : my IDServer (Keycloak) is using a cookie to identify the session and this cookie is used for the refresh iframe. Since Chrome 83, the brower policy in Incognito mode is stricter with third-party cookie so this IDS cookie is blocked and the refresh leads to a session_terminated event. Same happens in Brave Browser. What surprises me, is that my IDS is on the same domain as my SPA, but not on the same subdomain. According to the article your are referencing “SPA Necromancy”, it should work.

If needed, I can open a new issue but I feel like it is not something you are able to solve with eh module.

Top Results From Across the Web

Chrome Not Loading. Only Incognito Mode works, but you ...

Chrome is not stopping properly, so you have to kill it in the background process to get a new session to open. Essentially,...

Chrome incognito sends invalid credentials when a new ...

Chrome incognito sends invalid credentials when a new browser session is launched ... Google Chrome stopped the connection before any data was exchanged....

Incognito Mode Loses Cookies/Session Once App Loses Focus

Issue 528786: Incognito Mode Loses Cookies/Session Once App Loses Focus · 1. Open an Incognito tab. · 2. Log into Gmail. · 3....

v_user_session missing data, chrome incognito browser

Using google chrome incognito mode. Login as any user. Then check the v_user_session table for a record of this newly logged in user....

Does Incognito mode keep you logged in after closing ... - Quora

All cookies, storage, cache, and sessions are deleted when an incognito session is closed, and page history isn't stored at all.