Expired session breaks another session in unexpected ways

[mrkvon]

Search terms you've used

expire, expired, prompt=none, refresh token, refresh_token

Impacted package

Which packages do you think might be impacted by the bug ?

• solid-client-authn-browser
• solid-client-authn-node
• solid-client-authn-core
• oidc-client-ext
• Other (please specify): ...

Bug description

When a session in a new tab expires, it breaks an original tab that would otherwise refresh without issues. No event is dispatched by the broken original session.

To Reproduce

0. Have a Solid identity on CSS (v7) set up to short-lived access tokens. Have an app that uses solid-client-authn-browser and restorePreviousSession: true
1. Sign in to the app with the Solid identity. Make sure to select Remember this client during the login flow.
2. Wait until the session nearly times out, and observe that it gets refreshed and sessionRestore event gets dispatched.
3. Open the app in a new tab. Observe that you are signed in.
4. Wait until the new tab session expires. Observe that event sessionExpired is dispatched and you get signed out or you can't fetch protected resources.
5. Go back to the original tab, and see that the original session times out without refresh, and without any event being dispatched. It also keeps isLoggedIn: true

Expected result

• Preferably: When one session expires, don't break sessions in other tabs.
• At least: Dispatch an appropriate event (e.g. sessionExpired) in the other tabs when the session in them breaks, and sign out those sessions.

Actual result

• Session expiry in one tab breaks session in other tab that would otherwise stay alive. No event is dispatched in the other tab, and session becomes expired and logged in at the same time.

This leads to a poor developer experience. The app must keep checking the session regularly if it wants to reflect the state correctly.

Context

This is related to issue CommunitySolidServer/CommunitySolidServer#1058 and #1682.

When you sign in to CSS explicitly, the solid-client-authn-browser receives refresh_token. However, during silent login (prompt=none), the refresh_token is not provided by CSS. That's why the session in the original tab keeps refreshing; and a session in a new tab or after page reload expires.

This issue (inconsistent handling of the broken session) might be caused by the library clearing local storage and cookies when the new session expires.

[NSeydoux]

Hi @mrkvon , thanks for reporting this.

The fact that having two tabs with the same session leads to interactions is expected: local storage is stored by origin, so the two tabs effectively share some state, but not all state (as some state is in memory). In order to observe what you describe, I assume auto-refresh isn't disabled: when opening the new tab, the page should be redirected to the OpenID Provider, and be instantly redirected back, provided the session cookie is still valid. At this point, you have two "separate" sessions, one in each tab, each with its own lifecycle. However, and I would need to confirm this, I suspect the new session cleans up the older one, which was implemented to fix some issues when a session leaving a bad state in storage would prevent logging back in. As a result, when the older session expires, it has a refresh token in memory, but it doesn't have some of the expected state in local storage.

I don't expect I'll be able to fix this in the near future, because of the implications when a bad state is persisted in storage, but I agree the older session should at least log out properly on failure to refresh, I'll see when we can schedule this part of the fix.