-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow SaveTokens to be set to false #140
base: main
Are you sure you want to change the base?
Conversation
What would happen when SaveTokens is set to false, and the SDK is configured to use For context, mostly talking about this code: Lines 185 to 239 in 307337f
|
Hi, I was wondering whether the new test was sufficient to pass your approval process? I understand it may take a while to pass your internal approval process. |
Thanks for adding that test. It looks like what this test is covering, is:
Do you think this is expected for a user? Why can they not use a refresh token when SaveTokens is set to false? I think it makes sense for the SDK to support setting SaveTokens to false, but I believe there is more to it than just passing along the value for SaveTokens. I believe we either need to:
Option 1 should probably be sufficient tho. |
The problem we have is that we want to use refresh tokens, but we don't want the sdk to automatically refresh them. We are working on a microservices platform where: -
All of the above components need access to the tokens, so it doesn't make sense for us to store these in the .Net authentication cookie of our 'Auth' service. As we can't currently control this, we hit header size errors as we pass our tokens and the .Net authentication cookie. We built our own mechanism to refresh the token, as the user only uses the Auth service for login and profile management. |
Thanks for sharing that. That does make sense. I wonder, that in this scenario, would it work for you to add the following after adding our SDK? services.Configure<OpenIdConnectOptions>(Auth0Constants.AuthenticationScheme, options => {
options.SaveTokens = false;
}); If the above works, that would be an easy workaround. |
I will give it a test today and get back to you. |
I can confirm that the above workaround solves our problem. We will use this, as it means we can stop using our custom version of the sdk. Thanks for the help. |
Description
The current SDK defaults the SetTokens property to true, which stores the ID, access, and refresh tokens in the Authentication cookie. This behaviour is the opposite of how the OpenIdConnect SDK works and increases the size of the cookies.
This PR allows users to configure the SaveTokens property via Auth0WebAppOptions.cs. The default value of this property is true, which ensures there are no breaking changes for current implementations.
References
https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions
Testing
To test this feature works, I followed the structure of some of the other integration tests that sign the user into the application. The easiest way to prove whether the tokens were present in the authorisation cookie was to create another method on the Account controller and access HttpContext directly. I created two tests: -