dotnet/aspnetcore

Server Interactive Blazor Pages do not respect Sign-out with multiple browser tabs

jsmarsch opened this issue · 2 comments

jsmarsch commented

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

Using cookie-based oidc authentication and Blazor 8 Interactive Server Pages (signalR connection) , if the user opens a second browser tab, and navigates to the app, and then logs out of the app, the other browser tab remains logged in and is able to navigate and work with the app until a postback is forced.

Expected Behavior

User should be logged out in both tabs b/c the auth session has ended

Steps To Reproduce

Minimalistic Project: Using the Blazor WebAppOidc example in the dotnet/blazorsamples github repo: https://github.com/dotnet/blazor-samples /8.0/BlazorWebAppOidc

  1. Disable WASM (in my case, I'm only supporting Server-Side Interactive)
  2. Configure this template to use an available OIDC provider (I'm using Keycloak)
  3. Start a debugging session and use the login feature
  4. Open a second browser tab
  5. Note that both browser tabs are logged in (expected, b/c shared cookie)
  6. Logout in one of the browser tabs
  7. Navigate around in the other browser tab without causing a postback

Exceptions (if any)

No response

.NET Version

8.0.200

Anything else?

I have read about the conundrum here, where the signalr websocket connection doesn't cause a postback, so there is never postback, and therefore no reason to re-validate the cookie. So, I kind of get the problem. Problem is, I'm not sure what to do about it. The user expectation is that when they click sign-out, their session is safely closed.j

I have seen examples on the web that maintain an in-memory, singleton collection that can be used to track active sessions, but that only works if you are only running one instance of your web app -- if you are scaling horizontally, either manually or in a k8t's cluster, you'll have multiple copies of the singleton -- one per process. Any wisdom on how to handle the sign out problem?

cc: @guardrex dotnet/blazor-samples#297

javiercn commented

@jsmarsch thanks for contacting us.

This is by design. Blazor Server is a connected model and once you are authenticated, your authentication state lives by default for the lifetime of the circuit. If you want to proactively log-off a user in a different tab you need to implement that yourself using a https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.components.server.revalidatingserverauthenticationstateprovider?view=aspnetcore-8.0