We have a unique solution that utilizes multiple Single Page Applications (SPAs) developed in both Angular and AngularJS. These applications integrate the oidc-client-js library for authentication with Identity Server 4. However, due to limitations of AngularJS, we are required to embed our legacy AngularJS apps within iframes. Our main application allows users to log in through IdentityServer4 and subsequently access various SPAs within that main application. This setup works flawlessly until a user logs out and then logs back in as a different user. While the main app and Angular7 apps display the correct user information, the user remains unchanged when accessing an application rendered in an iframe from a previous session.
In accordance with the documentation provided by IdentityServer, I attempted to include a FrontChannelLogoutUri
to notify all logged-in clients and terminate all sessions. However, I was unable to determine the function of this logout page.
Additionally, I tried to clear all grants upon logging out, but found that there were no grants to be cleared. To accomplish this, I implemented the following method:
await _persistedGrantService.RemoveAllGrantsAsync(subjectId, clientId);
This particular method from IdentityServer returned an empty list.
var grants = await _interaction.GetAllUserConsentsAsync();
I am under the impression that rendering the FrontChannelLogoutUri should effectively end the session; however, I am unsure how to achieve this successfully.