Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Handling expanding session scope

See original GitHub issue

Description

I’ve been looking through the documentation and other issues, but I haven’t been able to find how this library handles the use-case of expanding scope in the session token.

Say for instance I follow the login process and in it, I request the scopes “openid profile”. If later on, I need to add a new scope like ‘cart’ to the session access token how should I go about doing this?

`.tokenCache(req, res).getAccessToken({scopes: ['cart'],refresh: true,}); `

This throws an error when the session is missing the requested scope. But how should that error be handled?

Reproduction

As a test created a dummy endpoint api/request-scope that simply calls handle login again but passes different scopes

export default async (req, res) => {
  try {
    console.log('Handling log in: ');
    await keycloak().handleLogin(req, res, {
      authParams: {
        trading_title: BRAND.toUpperCase(),
        trading_title_name: BRAND_NICE_NAME,
        isCheckout: Boolean(req.query.isCheckout),
        scope:
          'openid profile cart',
      },
    });
  } catch (error) {
    console.log('Login error ', error);
    res.status(error.status || 500).end(error.message);
  }
};

I do the normal sing in flow asking for the scopes “openid profile” and afterwards I enter that endpoint manually in the browser. It redirected straight to handle callback with the following error “state mismatch, expected eyJyZWRpcmVjdFRvIjoiLyIsIm5vbmNlIjoiOTgyZDUyNGE5OWYyZDRmOTlmZjFmNDViZTliMzU1MGYifQ, got: eyJub25jZSI6ImY0OGE4NzAyZjdlYjQ0NzFlOWYxYjQxMWE3NTNkN2EyIn0”

Environment

These are the initial values I pass when calling initAuth0

let keycloak;

const initKeycloak = () => {
  // Note: done this way to ensure that the runtime environment values are used.
  if (!keycloak) {
    keycloak = initAuth0({
      clientId: config.KEYCLOAK_CLIENT_ID,
      clientSecret: config.KEYCLOAK_CLIENT_SECRET,
      scope: config.KEYCLOAK_SCOPE,
      domain: config.KEYCLOAK_DOMAIN,
      redirectUri: config.KEYCLOAK_REDIRECT_URI,
      postLogoutRedirectUri: config.KEYCLOAK_DEFAULT_POST_LOGOUT_REDIRECT_URI,
      session: {
        cookieSecret: config.KEYCLOAK_SESSION_COOKIE_SECRET,
        cookieLifetime: config.KEYCLOAK_SESSION_COOKIE_LIFETIME_SECONDS,
        storeRefreshToken: true,
        storeAccessToken: true,
      },
    });
  }
  return keycloak;
};

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Comments:8 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
DTAPigeonscommented, Feb 10, 2021

@adamjmcgrath Sorry I gave up on the api/request-scope and just changed the sing in to handle both cases. It works fine, for now, I guess I was passing wrong parameters somehow. Thanks for all of your help.

export default async (req, res) => {
  try {
    const { pageName } = req.query;
    delete req.query.pageName;

    let scope = pageScopes['site'];

    if (pageName) {
      scope += pageScopes[`${pageName}`] ? ` ${pageScopes[`${pageName}`]}` : '';
    }

    console.log('Sining in with new scope: ', scope);

    await keycloak().handleLogin(req, res, {
      authParams: {
        trading_title: BRAND.toUpperCase(),
        trading_title_name: BRAND_NICE_NAME,
        isCheckout: Boolean(req.query.isCheckout),
        scope,
      },
    });
  } catch (error) {
    console.log('Login error ', error);
    res.status(error.status || 500).end(error.message);
  }
};
1reaction
DTAPigeonscommented, Feb 5, 2021

From that sample - it looks like you’re calling handleLogin in response to an ajax request, when it should be called in response to a UI request from your browser’s address bar.

Oh, so that’s how it works. Thanks, I’ll have to plan my auth logic around that.

Can you share the full url of your /callback page and the full url of your /request-scope page - for some reason you’re leaving a cookie at the /request-scope page which isn’t being picked up by the /callback page

It might be some conflicts with the initial config. I’ll have to verify once I’m using the actual sing in URL I’ll update here or start a separate issue if the problem continues.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Storing an object in Session, is that a good practice
Depends. If the object is supposed to be used application wide, shared among all users (sessions) and all requests, then put it in...
Read more >
Adding web session scope rules | Ping Identity Documentation
From the Type list, select Web Session Scope. From the Scope list, select the scope you want to match to values returned from...
Read more >
Domain scope - ServiceNow Docs
When record scope is in effect, click the UI action to expand to session scope and display all data available based to the...
Read more >
Control the Session with Spring Security - Baeldung
Configure Sessions with Spring Security - set up Concurrent Sessions, enable Session Fixation Protection and prevent URLs from containing ...
Read more >
session handling in JSF 1.2 - java - Stack Overflow
You can of course also just put a managed bean in the session scope. It's accessible from other managed beans by <managed-property> (or...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Custom store implementation

Next page

Updating documentation for common use cases