-
Notifications
You must be signed in to change notification settings - Fork 396
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to exclude the idToken from the session. #323
Comments
Hi @DTAPigeons - thanks for raising this
Yep - if you're using refresh tokens and you want to keep the id_token out of the session, you'll need to manage this yourself.
I'm not sure which part of the SDK would throw this - can you provide a stack trace for this error? |
Hi @adamjmcgrath, thank you for investigating!
|
Hi @DTAPigeons - thanks for sharing that stack trace
I can't see how the refresh grant wouldn't return an id_token - do you have anymore information about how to reproduce this? have you removed |
Closing due to inactivity - @DTAPigeons, feel free to ping me on this thread if you want me to reopen |
In order to reduce the size of my session cookie, I tried to remove the idToken from the session object in the after callback function as follows:
delete session.idToken;
The problem is that when the session gets refreshed the idToken gets stored back into the session cookie. Is there a way to permanently remove it altogether?
Furthermore, we've had cases where our session call doesn't return an idToken. In that case, the library would throw the error
TypeError: id_token not present in TokenSet
.Is there a way to make the library ignore the idToken all together or do we have to configure things so the idToken is aways provided and build separate logic to keep deleting it, from the cookie?
The text was updated successfully, but these errors were encountered: