OIDC Session Management in a SPA (Single-Sign-Out)

Question

I am currently implementing SSO on multiple applications using OIDC. I am not sure how to handle single-sign-out in a Single-Page App (SPA) for token-based authentication.

Consider two applications. Application A is a standard Spring MVC application that uses the OAuth2 Authorization Code flow, and application B is a SPA using the implicit flow. If a user has signed into Application A, when they navigate to Application B they are automatically signed in via SSO, which is to be expected. However, If the user logs out of Application A and then navigates to application B, currently app B still loads and allows access to apis because it has a valid OAuth2 access token stored in browser local storage. I would like application B to require the user to re-authenticate before making any other requests.

What is the recommended approach for doing single sign out in a SPA, since there is no way to have the identity provider send a 'signout' request to a server endpoint?

A couple of possible solutions I have thought of are:

1. Create one-time-use access tokens that must be re-generated with every request.
2. Check for an active IDP session any time Application B wants to make a request to our apis.

I am hesitant to use either of those two solutions because they require an additional request to the IDP any time the user interacts with the app. Are the any other strategies to solve this problem?

Edit

Thanks to sdoxsee for the answer which brought out the need for more clarification. I should have mentioned that logging out of either Application A or Application B also logs the user out of the IDP session. However, because application B has a valid access token in browser local storage, when the user navigates to app B, they will still be 'signed in' to app B despite not having an active IDP session. Hopefully that provides some more clarification.

Answer 1

Unless you sign out of the IDP, you'll get logged right back in automatically in your client apps even if you end the client session. You've got to end the IDP (or OP) session. Ie, you don't sign out of Gmail without signing out of Google maps, YouTube, Google drive as well by signing out of your Google account (IDP/OP). The most common way of signing out (that I've seen implemented) with oidc is captured in an implementation draft: http://openid.net/specs/openid-connect-session-1_0.html#RPLogout

Note. This isn't part of the oidc spec itself so OP implementations may not have this.

Update based on edited question:

dhouston, as I understand it, you're not ok with simply logging out the RP (client) and the OP (identity provider) but rather all RPs that have signed in with the OP during the OP's session. This is trickier but there is a draft for this as well that builds on the one I mentioned earlier. http://openid.net/specs/openid-connect-frontchannel-1_0.html.

Warning: I haven't tried this myself. The basic idea is that the OP keeps track of a list of RPs that have signed in via its session and initiates a log out of each RP. Again, this is not in the OIDC spec but following implementation drafts is probably wiser than rolling your own strategy.

There are likely other implementation drafts to solve this issue so if this one doesn't help, search around some more (referencing this one) as there will likely be comparisons to other options.