Dynamically return JWT Token / refresh token


I have a situation where based upon settings of the AuthUser, I want to return a different JWT Token and NO refresh token.
I already have a custom implementation of CredentialsAuthProvider - do I need a custom JwtAuthProvider as well in the flow, and how to change for a specific user (based upon criteria) to return or not return a refresh token, and another (validity) of a JWT Token?


Likely the easiest solution is to look for the AuthenticateResponse in a Global ResponseFilter then modify the result that’s returned, something like:

GlobalResponseFilters.Add((req, res, apiResponse) => {
    if (apiResponse is HttpResult httpRes && 
        httpRes.Response is AuthenticateResponse authRes)
        // Replace the HttpResult E.g.
        // httpRes.Cookies.Clear();

Otherwise preventing the existing behavior is a bit tricky as you’ll need to override the AuthFeature.AuthResponseDecorator with your own impl

Which would look something like:

public class CustomCredentialsAuthProvider : CredentialsAuthProvider
    public override void Register(IAppHost appHost, AuthFeature feature)
        base.Register(appHost, feature);

        var hold = feature.AuthResponseDecorator;
        feature.AuthResponseDecorator = authCtx => {
            if (authCtx.Session.UserName == "...")
            return hold?.Invoke(authCtx) ?? authCtx.AuthResponse;

Note: Your custom Auth Provider would need to be registered after JwtAuthProvider to ensure your Register() is run after JWT’s

Thanks for the tip. The GlobalResponseFilters did the job!

1 Like