SSO Cookie Mode Breaks about directus HOT 14 CLOSED

As defined here: https://docs.directus.io/self-hosted/sso.html#single-sign-on-sso

from directus.

This is intended, the Data Studio only works with session mode 👍

from directus.

This is intended, the Data Studio only works with session mode 👍

@paescuj
How can i then support SSO logins for my native apps?
I would have to choose either to support login on the Data Studio OR in my Native App?

from directus.

@paescuj and why is the other mode then listed in the docs if that does not work with the Data Studio? https://docs.directus.io/self-hosted/sso.html#single-sign-on-sso
Also please update the Doc then to say, that only "session" works.

from directus.

@paescuj Also now the Enpoint for the Auth Providers also does not show them anymore. So how do i know as a client that such a provider is supported?

from directus.

I would have to choose either to support login on the Data Studio OR in my Native App?

You could make that choice or update the native app to use the session token getting things back to the way you had them.

Also now the Enpoint for the Auth Providers also does not show them anymore. So how do i know as a client that such a provider is supported?

The auth providers endpoint still returns all sso providers unless you're using the ?sessionOnly flag

from directus.

I would have to choose either to support login on the Data Studio OR in my Native App?

You could make that choice or update the native app to use the session token getting things back to the way you had them.

Also now the Enpoint for the Auth Providers also does not show them anymore. So how do i know as a client that such a provider is supported?

The auth providers endpoint still returns all sso providers unless you're using the ?sessionOnly flag

Okay sorry to bother you, but i am having now multiple questions:

Just to make sure: Setting it to "cookie" will result, that the SSO provider will also not be visible in the Data Studio?

1. A client then can't decide if he wants to login with the mode "cookie" or "session" as this is decided by the server.

2. It seems not possible (and intended) to the a Refresh Token out of the Session Token? So my users would need to relogin every 15 minutes, since the session token is then outdated?

3. Can confirm: Auth provider is shown by the client, when using "cookie" mode. Can i somehow get the refresh_token (in the backend) from the user_id or the session_token?

from directus.

1. the client cant decide because the App only supports session as security improvement over the legacy cookie mode. So they would be deciding between being able to log in or not.
2. "It seems not possible (and intended) to the a Refresh Token out of the Session Token?" wording is a bit awkward but a session token acts as both access token and refresh token so you can refresh them as desired (the only change is that you will need to refresh before it expires since it is a single token)
3. In order to get a cookie mode refresh token you'll have to log in using cookie mode (you can't turn one type of token into another, without backend extensions)

from directus.

1. the client cant decide because the App only supports session as security improvement over the legacy cookie mode. So they would be deciding between being able to log in or not.

   2. "It seems not possible (and intended) to the a Refresh Token out of the Session Token?" wording is a bit awkward but a session token acts as both access token and refresh token so you can refresh them as desired (the only change is that you will need to refresh before it expires since it is a single token)

   3. In order to get a cookie mode refresh token you'll have to log in using cookie mode (you can't turn one type of token into another, without backend extensions)

So that is nice, that we only need the session_token now and not also a refresh_token extra. And it is also nice, that we can just refresh that token.
Uff, okay that means a bit of changes in our app. But thanks.

How is the refresh now done? https://docs.directus.io/reference/authentication.html#refresh
The docs still state only the old method (refresh and access token).

acts as both access token and refresh token
Or is it really both?

from directus.

Or is it really both?

It really is both so if you were using cookie mode before the refresh endpoint flow works the same, do a request with the cookie then the cookie is replaced and expiry time returned.

from directus.

Or is it really both?

It really is both so if you were using cookie mode before the refresh endpoint flow works the same, do a request with the cookie then the cookie is replaced and expiry time returned.

I have done using "json" before. So by using the directus_session_token this should work?

//console.log("authenticate_with_access_token set refresh_token to directus_access_token")
await ServerAPI.simpleAuthentificationStorage?.set({
	access_token: directus_access_token,
	refresh_token: directus_access_token,
	expires: null,
	expires_at: null,
});

console.log("CALL NOW THE REFRESH");
const result = await client.request(refresh('json', directus_access_token));

from directus.

@br41nslug so why does the json refresh then not work with the session_token?

//console.log("authenticate_with_access_token set refresh_token to directus_access_token")
await ServerAPI.simpleAuthentificationStorage?.set({
	access_token: directus_access_token,
	refresh_token: directus_access_token,
	expires: null,
	expires_at: null,
});

console.log("CALL NOW THE REFRESH");
const result = await client.request(refresh('json', directus_access_token));

I am getting BAD REQUEST as error?

from directus.

because you arent using session mode, the session token "behaves" like a refresh token it is not identical to one.

from directus.

because you arent using session mode, the session token "behaves" like a refresh token it is not identical to one.

Uff okay. So in need to call: client.refresh(‚session‘, session_token) ?

from directus.