OIDC SPA
GitHubHome
v4
  • Documentation
  • Release Notes & Upgrade Instructions
v4
  • Documentation
    • πŸ”©Installation
    • πŸ‘¨β€πŸ”§Basic Usage
    • πŸ”ŒWeb API
    • ⏲️Auto Logout
    • ❗Error Management
    • 🎭Mock
    • πŸ”Tokens Renewal
    • πŸ›‘οΈGlobally Enforce Authentication
    • πŸ”User Account Management
    • πŸ”„Doing Something Only When a New Session is Created
  • Example setups
    • πŸ›£οΈTanStack Router
    • πŸ›€οΈReact Router
  • Resources
    • πŸ”‘Keycloak Configuration Guide
    • πŸ‘₯Accessing Keycloak Groups
    • πŸͺEnd of third-party cookies
    • πŸ—οΈJWT Of the Access Token
    • πŸ’¬Discord Server
  • ⭐Sponsors
Powered by GitBook
On this page
  • Configuring auto logout policy
  • Displaying a coutdown timer before auto logout

Was this helpful?

Export as PDF
  1. Documentation

Auto Logout

Automatically logging out your user after a set period of inactivity on your app (they dont move the mouse or press any key on the keyboard for a while)

PreviousWeb APINextError Management

Last updated 9 months ago

Was this helpful?

Configuring auto logout policy

This is a policy that is enforced on the identity server.

The auto logout is defined by the lifespan of the refresh token.

For example, if you're using Keycloak and you want an auto disconnect after 10 minutes of inactivity you would set the SSO Session Idle to 10 minutes. See .

If you can't configure your identity provider you can still enforce auto logout like so:

import { createOidcΒ } from "oidc-spa";

const oidcΒ = await createOidc({
  // ...
  __unsafe_ssoSessionIdleSeconds: 10 * 60 // 10 minutes
  //autoLogoutParams: { redirectTo: "current page" } // Default
  //autoLogoutParams: { redirectTo: "home" }
  //autoLogoutParams: { redirectTo: "specific url", url: "/a-page" }
});
import { createReactOidc } from "oidc-spa/react";

export const {
    OidcProvider,
    useOidc
} = createReactOidc({
    // ...
    __unsafe_ssoSessionIdleSeconds: 10 * 60 // Ten minutes
    //autoLogoutParams: { redirectTo: "current page" } // Default
    //autoLogoutParams: { redirectTo: "home" }
    //autoLogoutParams: { redirectTo: "specific url", url: "/a-page" }
});

Note that this parameter is marked as unsafe because what happens if the user closes the tab? He will be able to return a while back and still be logged in. oidc-spa can't enforce a security policy when it's not running. Only the identity server can.

Displaying a coutdown timer before auto logout

const { unsubscribeFromAutoLogoutCountdown } = oidc.subscribeToAutoLogoutCountdown(
  ({ secondsLeft }) => {
    if( secondsLeft === undefined ){
      console.log("Countdown reset, the user moved");
      return;
    }
    if( secondsLeft > 60 ){
      return;
    }
    console.log(`${secondsLeft} before auto logout`)
  }
);
⏲️
Keycloak configuration guide
The demo app with a short SSO Session Idle
https://github.com/keycloakify/oidc-spa/blob/main/examples/tanstack-router/src/router/AutoLogoutCountdown.tsx
Example implementation of a 60 seconds countdown before autologout.