Comments (5)
hi @RihanArfan
Thanks for the tip
I was currently looking at this but going to try your approach
If you figure out how to manage the refresh token, please leave a comment, and I'll do the same.
from nuxt-auth-utils.
@victorlmneves Make sure to include the offline_access
scope, and you'll get a refresh token within tokens
, assuming you've enabled the relevant settings within your Auth0 dashboard (or in my case, via Azure).
I'm working on a server util getAccessToken(session)
which would handle refreshing an expired access token. I'm thinking of storing the refresh token via useStorage()
, and the result of getAccessToken()
using Nitro's caching layer with a TTL a little less than the JWT expiry. https://nitro.unjs.io/guide/cache#function (which uses unstorage under the hood too).
If the refresh token doesn't work (90+ days unused, user changed pw/removed device from trusted, etc. in Microsoft specifically), I'll redirect them to the auth endpoint.
from nuxt-auth-utils.
Had the same query and figured it out. It's exposed where you register the OAuth event handler.
// /server/routes/auth/sso.ts
export default oauth.microsoftEventHandler({
async onSuccess(event, { user, tokens }) { // <-- tokens exposed here
console.log("Tokens", tokens);
await setUserSession(event, {
user: {
microsoft: user,
},
loggedInAt: Date.now(),
});
return sendRedirect(event, "/");
},
});
Be aware that storing the token within setUserSession()
will expose it to the client at /api/_auth/session
. That's fine in examples like a client calling GitHub API using their access token to access their own resources. However, if substancial scopes are granted (e.g. deleting devices on Active Directory), you may want to store the access token on the server, and keep a reference to it within setUserSession()
so you can access the token within requests to server routes.
from nuxt-auth-utils.
hi @RihanArfan
I know that the question is to be able to expose it to be to access it without having to add to the object
Currently, I'm doing like this, but I don't think it's safe to do it
export default oauth.auth0EventHandler({
config: authConfig(),
async onSuccess(event, { user, tokens }) {
const userStore = useUserStore();
userStore.$state.isLoggedIn = true;
userStore.$state.user = user;
await setUserSession(event, {
user: {
login: user,
},
loggedInAt: Date.now(),
auth0AccessToken: tokens.access_token,
});
return sendRedirect(event, '/');
},
});
from nuxt-auth-utils.
However, if substancial scopes are granted (e.g. deleting devices on Active Directory), you may want to store the access token on the server, and keep a reference to it within setUserSession() so you can access the token within requests to server routes.
Here's an example of what I'm doing:
// server/routes/auth.ts
export default oauth.microsoftEventHandler({
async onSuccess(event, { user, tokens }) {
await useStorage().setItem(`token:${user.id}`, tokens.access_token);
await setUserSession(event, { user, loggedInAt: Date.now() });
return sendRedirect(event, "/");
},
});
// server/api/example.get.ts
export default defineEventHandler(async (event) => {
const session = await requireUserSession(event);
const accessToken = await useStorage().getItem(`token:${(session.user as { id: string }).id}`);
// TODO: validate JWT is valid
// TODO: your code
...
});
You'll still need to handle refresh tokens otherwise your application won't be able to call an API after 1 hour (most common access token JWT expiry). I'm figuring out how to handle refresh tokens still.
from nuxt-auth-utils.
Related Issues (20)
- The API (server routes) for getting and deleting sessions should be configurable HOT 4
- Microsoft OAuth Question about Access Token HOT 2
- How to block/suspend users? HOT 2
- Mocking providers for E2E Testing
- Configure session expiration? HOT 1
- bug: Session Fails to Set When Exceeding Data Size Limit HOT 2
- Impossible to login using Safari with localhost HOT 2
- 204 No Content on Cloudflare Pages HOT 3
- Discord Always Fails HOT 3
- Safe again Cross Site Request Forgery (CSRF)? HOT 2
- [Question] nitro + sqlite auth HOT 1
- [Question]: When is the session server side available? Initial authorized api request possible? HOT 4
- Support for OIDC providers which expose `.well-known/openid-configuration` HOT 2
- Mixed use of ofetch and $fetch HOT 3
- Is session refresh implemented? HOT 14
- Does this module work in an SPA setting? HOT 2
- Github redirect uri not match. When i use https,how to deal with it? HOT 7
- How to write a unit test for nuxt middleware? HOT 1
- No session when fetching during SSR HOT 4
- [plugin node-resolve] Could not resolve import "nitropack/runtime" HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nuxt-auth-utils.