Pega Session remains valid even if OpenID Provider session is invalid (logged off)
We are using the OIDC Auth Service in our main and some other applications.
For the integrate applications in our main application (iFrame/Mashup) an silent login appears as we use the same OP Session which is valid at this time.
However, wenn a logoff in the main application appears or in another browser TAB whithin another application which is using the same OP Session, the OpenID Provider session gets invalid but the Pega Sessions are stimm still valid and using the URL PRAuth/oidc the user still has access to all pega applications.
So if another customer is logging in into the main application and accesses one of the services which are integrated the user will see the session from the previous user.
What are the best practices to handle this?
using promt=non in the oidc Auth Service as Parameter doesn't really help.
I configured it like explained in the LSA Security excellence meetup:https://collaborate.pega.com/discussion/clsa-security-excellence-webinar-recording-handout-januari-2021
Also I found an article about "Repeating Passive Authentication Requests against the OP Authorization Endpoint with the prompt=none parameter added" -> here: https://medium.com/@technospace/managing-sessions-with-openid-connect-d3b6fb4f552b
Calling the logoff URL of all possible open pega applications is not really a valid solution in my view.
We are using the OIDC Auth Service in our main and some other applications.
For the integrate applications in our main application (iFrame/Mashup) an silent login appears as we use the same OP Session which is valid at this time.
However, wenn a logoff in the main application appears or in another browser TAB whithin another application which is using the same OP Session, the OpenID Provider session gets invalid but the Pega Sessions are stimm still valid and using the URL PRAuth/oidc the user still has access to all pega applications.
So if another customer is logging in into the main application and accesses one of the services which are integrated the user will see the session from the previous user.
What are the best practices to handle this?
using promt=non in the oidc Auth Service as Parameter doesn't really help.
I configured it like explained in the LSA Security excellence meetup:https://collaborate.pega.com/discussion/clsa-security-excellence-webinar-recording-handout-januari-2021
Also I found an article about "Repeating Passive Authentication Requests against the OP Authorization Endpoint with the prompt=none parameter added" -> here: https://medium.com/@technospace/managing-sessions-with-openid-connect-d3b6fb4f552b
Calling the logoff URL of all possible open pega applications is not really a valid solution in my view.
What I want to try next is the approach with a check session iframe elaborated also in this article https://medium.com/@technospace/managing-sessions-with-openid-connect-d3b6fb4f552b
Are there any other ideas?