I have a single-page application (SPA) based on React, and I would like to implement OAuth 2.0 authentication, specifically using OpenID.
This application runs on a device that may be shared by different consecutive users. Therefore, I need to ensure that a user is logged out once they finish their session. This way, the next user will be prompted to enter the credentials again.
To implement this, should I delegate all the security aspects to the authentication provider? Or does OpenID provide a standard/generic mechanism to force the logout that all authentication providers should follow? Is there any recommendation or good practice to achieve this?
Thank you.
Your app can implement an OpenID Connect logout, but you may not always be able to force the user to do a logout when they end a session, eg if they just close the app. You can force removal of tokens from the app though.
One way to do so is by storing tokens only in memory. Another is to use HTTP only session cookies. You will need to ensure a new browser session for each user, without any leftover cookies or tokens.
One option to be aware of is the OpenID Connect prompt=login parameter to force a new login. This can be useful if the authorization server issues persistent SSO cookies that survive browser restarts. It should also be possible to forward the authorization server to send prompt=login in flows that use external identity providers.