@lullis Thank you for working on this. I've only given it a cursory review, but it looks like a great start. It'll probably be late next week before I can look at this closely. Ping me again if I don't manage to get you a review by next Friday.

@lullis I'm quite busy at the moment. I think that I should be able to have a look at this in the next ~3 months. Do please remind me if I forget it.

@Qup42, just pinging to remind you about this PR.

@lullis any guidance on testing procedures for this PR?

@dopry I got a small app going to test these features athttps://codeberg.org/raphael/oidc-client-testbed.

I won't make any strong claims about its overall quality (I relied on Cursor to generate a lot of the boilerplate and the vue components), but I did check the actual functionality and it works well enough to check the session frame part.

@lullis I was wondering more about test plans I could follow for testing manually. I can try to use your OIDC test bed, we also have the test/app/rp which we can use, although it may need to be updated. Not sure if I have session handling in that client.

@dopry, I am reasonably confident that there is nothing about session handling in that client - at least not related to the session iframe. If started my vue app precisely because I couldn't find any demo application that exercised this functionality.

Anyway, I was testing this with my app by running both the idp and the vue app. You can then login through the vue app, which will authenticate you in the idp. Once you login there will be a "session info" tab that will show you as logged in. You can open a console and you will see that the rp has an iframe which will be pinging the idp every few seconds. If you open another tab and logout directly on the IDP, the session will be finished and the rp will then show you as logged out.

the RP uses my svelte-oidc package which is a proxy tohttps://github.com/DuendeArchive/identity-model-oidc-client-js more or less. I'm fairly certainhttps://github.com/DuendeArchive/identity-model-oidc-client-js/blob/dev/src/SessionMonitor.js handles session management in that library. Whether the tests/app/rp has session management enabled is another question.

I've been meaning to update that tohttps://github.com/authts/oidc-client-ts, which is a TS port of the same library.

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report?Let us know!

Looks like we have at least 4 more code branches to test in order to get coverage where it needs to be.

@dopry added missing tests, looks like codecov is happy now...

@dopry Would be great if we could get forward with this feature, too ;-)

A way you can help streamline the review process for me is lay out an easy end to end tests for me using the tests/rp and tests/idp or some other setup using docker compose so I can verify the functionality more easily without needing to implement a client to test each of these features myself.

or some other setup using docker compose

Can you please check ifhttps://codeberg.org/raphael/oidc-client-testbed would work for you? It does have a way to test the session iframe. I can make a docker image if you want, as well.

I only have a few hours a week for work on this project... Having to spin up and configure a 3rd party example will eat up all my review time for a week. 3rd Party examples do not create an easy way for other developers to test the features in the future, nor does it provide example implementations for consumers. I'd really like to keep all the functionality demonstration in tests/app/[idp,rp]. That said I'll try to get your example setup to test... just don't expect any additional review by me this week.

Ultimately, I want all of this local so we can start working on setting up playwright tests that run through all the features so it's not something maintainers need to do manually with every change.