Google OAuth with Javascript only

I am still having some difficulty finalizing the Google Auth implementation. I’m falling at the final hurdle.

Here are the details:

  1. I have the google authentication completing well through to the final redirecturl (good)
  2. If the final page is an ASP MVC page, I can view the ss-id and ss-pid values in the Request.Cookies values. (good)
  3. Once it reaches the view OR If the final page is a javascript only page, the cookies are not accessible, I am assuming its because they are marked HTTP Only ?

In our case, the main webapp is javascript only (not ASP MVC) so in this case I’m still unsure how to acquire the ss-tok so that we can make subsequent api calls.

ajax call to session-to-token returns unauthorized I assume because the ss-id cookie is not available.

I set the host.Config.AllowNonHttpOnlyCookies = true; and now have visibility of ss-id etc within the view/javascript

But still session-to-token fails with 401.

Any thoughts on how I can resolve that?

Error I’m seeing is

HTTP401: DENIED - The requested resource requires user authentication.
(XHR)POST - http://localhost:9000/session-to-token

I Guess this is just a standard CORS error and the issue is due to the fact that the web app is on a different url localhost:8080 vs localhost:9000, I have allowed credentials and had to add explicit hosts to config and it started working after that.

Im left with a few residual questions:

  1. Previously I had overridden the onSessionSave function to not persist (blank method) however, I am assuming this must be reinstated as the conversion from session to token requires a persistent session.
  2. I am noticing that when i run each google auth chain I am getting different ss-id and ss-pid values which is good, but the ss-tok (after calling session-to-token appears to be the same. I would have expected it to change accordingly ?
  3. Sometimes the google auth chain fails and returns me back to the page I started from.
  4. Session-to-token appears to give me an empty array

4 - Resolved by adding IncludeJwtInConvertSessionToTokenResponse = true, to jwtauthprovider.

Main thing I would like to know is #2

The session Id’s are random identifiers that reference a Server Session, whereas JWT’s are an encoded form of a partial session, it’s going to be similar for most users since most of their session info remains the same but the issue date (iat) and the expiry date (exp) of the JWT will be different which will cause the signature to be different as well. You can view the contents of the JWT by pasting it in https://jwt.io

Thanks for the info, yes I have been decoding them and finding they were identical,

I also found this code in the JwtAuthProvider class

        var token = Request.GetJwtToken();
        IAuthSession session = null;
        var includeTokensInResponse = 
           jwtAuthProvider.IncludeJwtInConvertSessionToTokenResponse;
        var createFromSession = string.IsNullOrEmpty(token);
        if (createFromSession || includeTokensInResponse)
        {

which shows if there is a ss-tok already, it uses it, this explains it. So think I’m all complete

1 Like