You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Use when you only need to know if a session is alive — no claims are returned.
200
+
201
+
Requires a stored `id_token` to send as `id_token_hint`. Fails immediately with `no_id_token_hint` if storage is empty.
202
+
203
+
How the check runs depends on `redirectUri`:
204
+
205
+
-**With `redirectUri`** (iframe): a hidden iframe loads the authorization URL. The AS redirects to `redirectUri` on success or appends error params on failure. The `redirectUri` must be same-origin — the browser blocks cross-origin iframe content access.
206
+
-**Without `redirectUri`** (fetch): a plain GET to the authorization endpoint — no iframe. The AS returns `204` on success or `400` on failure. Use this when no same-origin callback page is available.
207
+
208
+
Returns `{ mode: 'none' }` on success.
209
+
210
+
##### `responseType: 'id_token'`
211
+
212
+
Use when you need the user's claims back from the session. The AS issues a fresh `id_token` whose decoded claims are returned on success.
213
+
214
+
Always uses the iframe path — `redirectUri` is required. A stored `id_token` is sent as `id_token_hint` if available but is not required.
215
+
216
+
`state` and `nonce` are validated before claims are returned. If `subject` is provided, the `sub` claim must also match — otherwise any active session's claims are returned.
217
+
218
+
```js
219
+
constsession=awaitoidcClient.user.session({
220
+
responseType:'id_token',
221
+
subject: knownUserId, // optional — omit to get claims for whoever is logged in
222
+
});
223
+
if (!('error'in session)) {
224
+
console.log(session.claims); // JWTPayload
225
+
}
226
+
```
227
+
228
+
Returns `{ mode: 'id_token', claims: JWTPayload }` on success.
0 commit comments