OIDC pipeline identity
Detects when the signed-in OIDC user or pipeline changes and triggers a hard reload so client state (Zustand, TanStack Query) cannot leak between users.
Module: @sumx/ssr-auth-core/oidc-pipeline-identity
Types
type OidcPipelineIdentity = {
subject: string;
pipelineKey: string;
// additional normalized fields from User profile
};Functions
| Function | Description |
|---|---|
normalizeAuthSubject(value) | Stable subject string |
getSubjectForServerSessionReconciliation(user, ...) | Subject for server/client reconcile |
getOidcPipelineIdentity(user) | Identity from OIDC User |
getOidcUserLoadedPipelineKey(user) | Pipeline key when profile loaded |
readStoredOidcPipelineIdentity() | From localStorage |
shouldHardReloadForOidcIdentityChange(prev, next) | true → full page reload |
When hard reload fires
- Different
subafter login - Pipeline / tenant key change on same browser profile
- Prevents showing previous user’s cached permissions or filters
Storage keys
Uses constants LAST_OIDC_PIPELINE_* keys — do not rename without migration.
Portal integration
CheckToken compares identity on each successful session sync and calls window.location.reload() when shouldHardReloadForOidcIdentityChange is true.