I currently have an angular 2 SPA calling a Web API. I am using a Security Token Service implemented with Identity Server 3 and the oidc-client-js javascript library to provide authentication and authorization to use the Web API.
The protocol is OpenId Connect using the implicit flow.
I have implemented silent token refresh based on this artice. This is in order to always have a current Access_Token when calling the API.
In order to log the user out after a period of inactivity I am using a javascript timer to call the UserManager.signoutRedirect method from the Oidc_Client_Js library.
This works, however I am concerned that this could be open to manipulation as the user's session is controlled by Javascript on the client.
My question is, are there any recommended techniques to apply a 'rolling' automatic sign-out on Single Page Apps secured with OpenId Connect?
