Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to exclude the idToken from the session. #323

Closed
DTAPigeons opened this issue Mar 4, 2021 · 4 comments
Closed

How to exclude the idToken from the session. #323

DTAPigeons opened this issue Mar 4, 2021 · 4 comments
Labels
needs investigation This needs to be investigated further before proceeding

Comments

@DTAPigeons
Copy link

DTAPigeons commented Mar 4, 2021

In order to reduce the size of my session cookie, I tried to remove the idToken from the session object in the after callback function as follows:
delete session.idToken;

The problem is that when the session gets refreshed the idToken gets stored back into the session cookie. Is there a way to permanently remove it altogether?

Furthermore, we've had cases where our session call doesn't return an idToken. In that case, the library would throw the error
TypeError: id_token not present in TokenSet.

Is there a way to make the library ignore the idToken all together or do we have to configure things so the idToken is aways provided and build separate logic to keep deleting it, from the cookie?

@adamjmcgrath
Copy link
Contributor

Hi @DTAPigeons - thanks for raising this

The problem is that when the session gets refreshed the idToken gets stored back into the session cookie. Is there a way to permanently remove it altogether?

Yep - if you're using refresh tokens and you want to keep the id_token out of the session, you'll need to manage this yourself.

Furthermore, we've had cases where our session call doesn't return an idToken. In that case, the library would throw the error
TypeError: id_token not present in TokenSet.

I'm not sure which part of the SDK would throw this - can you provide a stack trace for this error?

@adamjmcgrath adamjmcgrath added the needs investigation This needs to be investigated further before proceeding label Mar 4, 2021
@DTAPigeons
Copy link
Author

Hi @adamjmcgrath, thank you for investigating!
This is the stack trace I'm getting:

TypeError: id_token not present in TokenSet
    at TokenSet.claims (C:\Diadraw\Ubiquedigital\Final repo\simplybe\node_modules\openid-client\lib\token_set.js:43:13)
    at Object.fromTokenSet (C:\Diadraw\Ubiquedigital\Final repo\simplybe\node_modules\@auth0\nextjs-auth0\dist\session\session.js:21:29)        
    at Object.<anonymous> (C:\Diadraw\Ubiquedigital\Final repo\simplybe\node_modules\@auth0\nextjs-auth0\dist\session\get-access-token.js:46:42)    at Generator.next (<anonymous>)
    at fulfilled (C:\Diadraw\Ubiquedigital\Final repo\simplybe\node_modules\@auth0\nextjs-auth0\node_modules\tslib\tslib.js:114:62)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:97:5)

@adamjmcgrath
Copy link
Contributor

Hi @DTAPigeons - thanks for sharing that stack trace

TypeError: id_token not present in TokenSet

I can't see how the refresh grant wouldn't return an id_token - do you have anymore information about how to reproduce this? have you removed openid from your scope somehow?

@adamjmcgrath
Copy link
Contributor

Closing due to inactivity - @DTAPigeons, feel free to ping me on this thread if you want me to reopen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs investigation This needs to be investigated further before proceeding
Projects
None yet
Development

No branches or pull requests

2 participants