Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to use existing token in a new usermanager instance without signinRedirect #1684

Open
ept-Ayush opened this issue Oct 1, 2024 · 6 comments
Open

How to use existing token in a new usermanager instance without signinRedirect #1684

ept-Ayush opened this issue Oct 1, 2024 · 6 comments
Labels
question Further information is requested

Comments

@ept-Ayush
Copy link

I am passing token , client _id and domain via query param. I want to use the token to get new token but I was not able to find any solution. I have to call signinRedirect again and do the same process for logging in and getting new token.

Is there any simple solution for this ?

@pamapa
@pamapa
Copy link
Member

pamapa commented Oct 3, 2024

Existing access token and if used refresh token are stored either in the local or session storage.

Somthing like this, assuming you are using the default sessionStorage.

import { User } from "oidc-client-ts"

function getUser() {
    const oidcStorage = sessionStorage.getItem(`oidc.user:<your authority>:<your client id>`)
    if (!oidcStorage) {
        return null;
    }

    return User.fromStorageString(oidcStorage);
}

@pamapa pamapa added the question Further information is requested label Oct 3, 2024
@ept-Ayush
Copy link
Author

ept-Ayush commented Oct 7, 2024
edited
Loading

@pamapa Thanks for response but actually my main problem is let's say:

I have a website www.example.com where I am initiating the login via signinRedirect and there I am storing the data in localStorage there I have everything like token, refresh token and all the other details ( that is user is succesfully signed in) after sign in I have to send user to www.differentdomain.com there user is not logged in. so what I am doing is I am redirecting to second website with query param like www.differentdomain.com?token=someValidToken&clientId=someClientId&domain=someUserDomain now what exactly I want is if somehow I can use this token ( if its valid ) directly without calling signinRedirect again (may be siginsilent but it didn't work now) because right now on the other website I am doing the sign in process again internally as at that time it will not have any localstorage or cookies as it is entirly different domain.

Like somehow if there is any simplerway so that it would work without calling the authentication endpoint again.

@pamapa
Copy link
Member

pamapa commented Oct 7, 2024

Hard to say. But typically access tokens are bound to the domain and i can't know if the access token would work for both domains.
If you have a valid user (access, refresh token and claims), you can also inject it into your localStorage (oidc.user:<your authority>:<your client id>) before setting up the UserManager. When you need to do that, this means <your authority> or <your client id> is different, thus i doubt this would work. If they match, you do not need to copy and it might work automatically.

@ept-Ayush
Copy link
Author

ept-Ayush commented Oct 7, 2024
edited
Loading

@pamapa Actually both are our domain but they are seperate domains. About the injecting part (oidc.user:<your authority>:<your client id>) the authority and client id are same in the new one as well but I am wondering is there any function/method to create the same response as we get in Usermanger.getUser from the access token itself as that response contain a lot of things?

Might be probably then it can work without attempting to login again

@Badisi
Copy link
Contributor

Badisi commented Oct 7, 2024
edited
Loading

@ept-Ayush, I think you are approaching the problem from the wrong angle. Each web app should be registered individually in your IDP. They represent separated clients, and tokens from one client cannot be used with other clients (the IDP will reject them). You should instead look for SSO or put both clients under the same realm so that the user session can be used for both (i.e. the first client log-in, creates the session and when the second client needs to log-in as well, it reuses the session, so no need to authenticate).

Plus, security wise, you shouldn’t be passing the tokens as query parameters. This was used in the past in the implicit flow, but has since be deprecated as it is not secured. Same with storing tokens in the local storage, it is not considered secured and should be avoided if possible (if you can, prefer storing tokens in the app memory and use sign-in silent to regain access from the current session, if any)

@ept-Ayush
Copy link
Author

ept-Ayush commented Oct 8, 2024
edited
Loading

Actually my hands are tied. I have different domains. I agree with your points that each idp should use different client id . Ultimately I want to create the SSO itself, to create that i have added domain A as login server and other domain B, C will go through A to get the login data.

For the localstorage I am using it to use same session in multiple tabs.

if somehow I can create the same response as pampa said I can achieve the things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Badisi @pamapa @ept-Ayush