[Question] Expose/access the tokens about nuxt-auth-utils HOT 5 OPEN

hi @RihanArfan
Thanks for the tip
I was currently looking at this but going to try your approach
If you figure out how to manage the refresh token, please leave a comment, and I'll do the same.

from nuxt-auth-utils.

@victorlmneves Make sure to include the offline_access scope, and you'll get a refresh token within tokens, assuming you've enabled the relevant settings within your Auth0 dashboard (or in my case, via Azure).

I'm working on a server util getAccessToken(session) which would handle refreshing an expired access token. I'm thinking of storing the refresh token via useStorage(), and the result of getAccessToken() using Nitro's caching layer with a TTL a little less than the JWT expiry. https://nitro.unjs.io/guide/cache#function (which uses unstorage under the hood too).

If the refresh token doesn't work (90+ days unused, user changed pw/removed device from trusted, etc. in Microsoft specifically), I'll redirect them to the auth endpoint.

from nuxt-auth-utils.

Had the same query and figured it out. It's exposed where you register the OAuth event handler.

// /server/routes/auth/sso.ts
export default oauth.microsoftEventHandler({
  async onSuccess(event, { user, tokens }) { // <-- tokens exposed here
    console.log("Tokens", tokens);

    await setUserSession(event, {
      user: {
        microsoft: user,
      },
      loggedInAt: Date.now(),
    });

    return sendRedirect(event, "/");
  },
});

Be aware that storing the token within setUserSession() will expose it to the client at /api/_auth/session. That's fine in examples like a client calling GitHub API using their access token to access their own resources. However, if substancial scopes are granted (e.g. deleting devices on Active Directory), you may want to store the access token on the server, and keep a reference to it within setUserSession() so you can access the token within requests to server routes.

from nuxt-auth-utils.

hi @RihanArfan
I know that the question is to be able to expose it to be to access it without having to add to the object
Currently, I'm doing like this, but I don't think it's safe to do it

export default oauth.auth0EventHandler({
    config: authConfig(),
    async onSuccess(event, { user, tokens }) {
        const userStore = useUserStore();
        userStore.$state.isLoggedIn = true;
        userStore.$state.user = user;

        await setUserSession(event, {
            user: {
                login: user,
            },
            loggedInAt: Date.now(),
            auth0AccessToken: tokens.access_token,
        });

        return sendRedirect(event, '/');
    },
});

from nuxt-auth-utils.

However, if substancial scopes are granted (e.g. deleting devices on Active Directory), you may want to store the access token on the server, and keep a reference to it within setUserSession() so you can access the token within requests to server routes.

Here's an example of what I'm doing:

// server/routes/auth.ts
export default oauth.microsoftEventHandler({
  async onSuccess(event, { user, tokens }) {
    await useStorage().setItem(`token:${user.id}`, tokens.access_token);

    await setUserSession(event, { user, loggedInAt: Date.now() });
    return sendRedirect(event, "/");
  },
});

// server/api/example.get.ts
export default defineEventHandler(async (event) => {
  const session = await requireUserSession(event);
  const accessToken = await useStorage().getItem(`token:${(session.user as { id: string }).id}`);
  // TODO: validate JWT is valid

  // TODO: your code
  ...
});

You'll still need to handle refresh tokens otherwise your application won't be able to call an API after 1 hour (most common access token JWT expiry). I'm figuring out how to handle refresh tokens still.

from nuxt-auth-utils.