Do server-side sessions correspond to changes in the /checkSession endpoint?

[DoxxableSetanta]

I currently have a few SPAs that use your /checkSession endpoint in order to check the user's session by loading the iFrame and checking the cookie's validity as described here: https://openid.net/specs/openid-connect-session-1_0.html

If I were to implement server-side sessions and I revoke all active sessions for that subjectId, does that raise a session changed event in the iFrame?

The documentation only mentions that we should react to refresh token expiry instead, and there's no mention about the above specification: https://docs.duendesoftware.com/identityserver/ui/server-side-sessions/inactivity-timeout/#clients-with-refresh-tokens

In your documentation for the user session service, it leads me to believe that the above approach is supported but I'm not 100% sure. It seems to all depend on the session cookie. https://docs.duendesoftware.com/identityserver/reference/services/user-session-service/

On a somewhat related note, I would also specify that external logout is front channel logout in your documentation here: https://docs.duendesoftware.com/identityserver/ui/logout/external-notification/

Thanks very much

[wcabus]

If I were to implement server-side sessions and I revoke all active sessions for that subjectId, does that raise a session changed event in the iFrame?

No, not automatically. The checksession iframe will have an event that is raised whenever the cookie expires because of its age, but the iframe does not perform an HTTP request to IdentityServer to also update the session cookie. Whenever a back-channel logout occurs, or you revoke a server-side session, the session cookie will only be updated (or expired) whenever the user visits IdentityServer in the browser.

If you also use silent renew/login using prompt=none, this does trigger an IdentityServer endpoint which would refresh the session cookie. Then, the checksession iframe would raise its event informing the SPA that the current session has expired.

[DoxxableSetanta]

Ah ok, thanks for the response. We're using this library in our SPA, so that's what's called a silent refresh here?

https://manfredsteyer.github.io/angular-oauth2-oidc/docs/additional-documentation/silent-refresh.html

[wcabus]

Exactly, the silent refresh functionality in angular-oauth2-oidc will attempt to refresh tokens on your behalf in an iframe, which triggers a request to IdentityServer.

[DoxxableSetanta]

Great, thanks again @wcabus !

[DoxxableSetanta]

I think I'm actually just going to clear the persisted grants for that user and then only react to refresh token failures in my SPA as that would achieve the same thing.