feat(session): ✨ Tokens are now exposed via. userdata not in session cookie

Author: itpropro

playground/nuxt.config.ts

@@ -32,8 +32,6 @@ export default defineNuxtConfig({
         additionalLogoutParameters: {
           logoutHint: '',
         },
-        exposeIdToken: true,
-        exposeAccessToken: false,
         allowedClientAuthParameters: [
           'test',
         ],
@@ -65,7 +63,6 @@ export default defineNuxtConfig({
         clientId: '',
         clientSecret: '',
         redirectUri: 'http://localhost:3000/auth/keycloak/callback',
-        exposeAccessToken: false,
         userNameClaim: 'preferred_username',
       },
       cognito: {
@@ -75,6 +72,7 @@ export default defineNuxtConfig({
         scope: ['openid', 'email', 'profile'],
         logoutRedirectUri: 'https://google.com',
         baseUrl: '',
+        exposeIdToken: true,
       }
     },
     session: {

src/runtime/composables/oidcAuth.ts

@@ -31,7 +31,7 @@ export function useOidcAuth() {
         Accept: 'text/json',
       },
       method: 'POST',
-    }).catch(() => (undefined)) as UserSession)
+    }).catch(() => login()) as UserSession)
   }
 
   /**

src/runtime/providers/cognito.ts

@@ -36,5 +36,6 @@ export const cognito = defineOidcProvider<OidcProviderConfig, CognitoRequiredFie
     automaticRefresh: true,
     expirationThreshold: 240,
   },
+  exposeIdToken: true,
   logoutRedirectParameterName: 'logout_uri',
 })

src/runtime/providers/entra.ts

@@ -62,6 +62,11 @@ export const entra = defineOidcProvider<EntraProviderConfig, EntraIdRequiredFiel
     openIdConfig.issuer = [`https://${parsedUrl.host}/${tenantId}/v2.0`, openIdConfig.issuer]
     return openIdConfig
   },
+  sessionConfiguration: {
+    expirationCheck: true,
+    automaticRefresh: true,
+    expirationThreshold: 1800,
+  },
   validateAccessToken: false,
   validateIdToken: true,
 })

src/runtime/providers/keycloak.ts

@@ -50,6 +50,11 @@ export const keycloak = defineOidcProvider<KeycloakProviderConfig, KeycloakRequi
   additionalLogoutParameters: {
     idTokenHint: '',
   },
+  sessionConfiguration: {
+    expirationCheck: true,
+    automaticRefresh: true,
+    expirationThreshold: 240,
+  },
   validateAccessToken: true,
   validateIdToken: false,
   exposeIdToken: true,

src/runtime/server/lib/oidc.ts

@@ -243,20 +243,14 @@ export function callbackEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
       config.optionalClaims.forEach(claim => parsedIdToken[claim] && ((user.claims as Record<string, unknown>)[claim] = (parsedIdToken[claim])))
     }
 
-    // Expose access token
-    if (config.exposeAccessToken)
-      user.accessToken = tokenResponse.access_token
-
-    if (config.exposeIdToken)
-      user.idToken = tokenResponse.id_token
-
-    if (tokenResponse.refresh_token) {
+    if (tokenResponse.refresh_token || config.exposeAccessToken || config.exposeIdToken) {
       const tokenKey = process.env.NUXT_OIDC_TOKEN_KEY as string
       const persistentSession: PersistentSession = {
         exp: accessToken.exp as number,
         iat: accessToken.iat as number,
         accessToken: await encryptToken(tokenResponse.access_token, tokenKey),
-        refreshToken: await encryptToken(tokenResponse.refresh_token, tokenKey),
+        ...tokenResponse.refresh_token && { refreshToken: await encryptToken(tokenResponse.refresh_token, tokenKey) },
+        ...tokenResponse.id_token && { idToken: await encryptToken(tokenResponse.id_token, tokenKey) },
       }
       const userSessionId = await getUserSessionId(event)
       await useStorage('oidc').setItem<PersistentSession>(userSessionId, persistentSession)
@@ -282,7 +276,7 @@ export function logoutEventHandler({ onSuccess }: OAuthConfig<UserSession>) {
       const logoutRedirectUri = logoutParams.logoutRedirectUri || config.logoutRedirectUri || `${getRequestURL(event).protocol}//${getRequestURL(event).host}`
 
       // Set logout_hint and id_token_hint dynamic parameters if specified. According to https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout
-      const additionalLogoutParameters: Record<string, string> = {}
+      const additionalLogoutParameters: Record<string, string> = config.additionalLogoutParameters || {}
       if (config.additionalLogoutParameters) {
         const userSession = await getUserSession(event)
         Object.keys(config.additionalLogoutParameters).forEach((key) => {

src/runtime/server/utils/oidc.ts

@@ -56,9 +56,10 @@ export async function refreshAccessToken(refreshToken: string, config: OidcProvi
   }
 
   // Construct tokens object
-  const tokens: Record<'refreshToken' | 'accessToken', string> = {
+  const tokens: Record<'refreshToken' | 'accessToken' | 'idToken', string> = {
     refreshToken: tokenResponse.refresh_token || refreshToken,
     accessToken: tokenResponse.access_token,
+    idToken: tokenResponse.id_token || '',
   }
 
   // Construct user object
@@ -75,13 +76,6 @@ export async function refreshAccessToken(refreshToken: string, config: OidcProvi
     config.optionalClaims.forEach(claim => parsedIdToken[claim] && ((user.claims as Record<string, unknown>)[claim] = (parsedIdToken[claim])))
   }
 
-  // Expose tokens
-  if (config.exposeAccessToken)
-    user.accessToken = tokenResponse.access_token
-
-  if (config.exposeIdToken)
-    user.idToken = tokenResponse.id_token
-
   return {
     user,
     tokens,

src/runtime/server/utils/session.ts

@@ -92,12 +92,19 @@ export async function refreshUserSession(event: H3Event) {
     iat: accessToken.iat || Math.trunc(Date.now() / 1000),
     accessToken: await encryptToken(tokens.accessToken, tokenKey),
     refreshToken: await encryptToken(tokens.refreshToken, tokenKey),
+    ...tokens.idToken && { idToken: await encryptToken(tokens.idToken, tokenKey) },
   }
 
   await useStorage('oidc').setItem<PersistentSession>(session.id as string, updatedPersistentSession)
-  await session.update(defu(user as UserSession, session.data))
+  const { accessToken: _accessToken, idToken: _idToken, ...userWithoutToken } = user
 
-  return session.data
+  await session.update(defu(userWithoutToken as UserSession, session.data))
+
+  return {
+    ...session.data,
+    ...(tokens.accessToken && (useRuntimeConfig(event).oidc.providers[provider]?.exposeAccessToken || providerPresets[provider].exposeAccessToken)) && { accessToken: tokens.accessToken },
+    ...(tokens.idToken && (useRuntimeConfig(event).oidc.providers[provider]?.exposeIdToken || providerPresets[provider].exposeIdToken)) && { idToken: tokens.idToken },
+  }
 }
 
 // Deprecated, please use getUserSession
@@ -154,6 +161,19 @@ export async function getUserSession(event: H3Event) {
       })
     }
   }
+  // Expose tokens if configured
+  if (useRuntimeConfig(event).oidc.providers[provider]?.exposeAccessToken || providerPresets[provider].exposeAccessToken) {
+    const persistentSession = await useStorage('oidc').getItem<PersistentSession>(session.id as string) as PersistentSession | null
+    const tokenKey = process.env.NUXT_OIDC_TOKEN_KEY as string
+    if (persistentSession)
+      userSession.accessToken = await decryptToken(persistentSession.accessToken, tokenKey)
+  }
+  if (useRuntimeConfig(event).oidc.providers[provider]?.exposeIdToken || providerPresets[provider].exposeIdToken) {
+    const persistentSession = await useStorage('oidc').getItem<PersistentSession>(session.id as string) as PersistentSession | null
+    const tokenKey = process.env.NUXT_OIDC_TOKEN_KEY as string
+    if (persistentSession?.idToken)
+      userSession.idToken = await decryptToken(persistentSession.idToken, tokenKey) || undefined
+  }
   return userSession
 }
 
@@ -169,7 +189,7 @@ function _useSession(event: H3Event) {
     Object.keys(useRuntimeConfig(event).oidc.providers).map(
       key => key as ProviderKeys,
     ).forEach(
-      key => providerSessionConfigs[key] = defu(useRuntimeConfig(event).oidc.providers[key]?.sessionConfiguration, {
+      key => providerSessionConfigs[key] = defu(useRuntimeConfig(event).oidc.providers[key]?.sessionConfiguration, providerPresets[key].sessionConfiguration, {
         automaticRefresh: useRuntimeConfig(event).oidc.session.automaticRefresh,
         expirationCheck: useRuntimeConfig(event).oidc.session.expirationCheck,
         expirationThreshold: useRuntimeConfig(event).oidc.session.expirationThreshold,

src/runtime/types.ts

@@ -102,7 +102,8 @@ export interface PersistentSession {
   exp: number
   iat: number
   accessToken: EncryptedToken
-  refreshToken: EncryptedToken
+  refreshToken?: EncryptedToken
+  idToken?: EncryptedToken
 }
 
 export interface TokenRequest {