Issue with Refresh Token

jbrabant.dev · April 14, 2025, 12:49pm

I am using a custom auth provider (based on CredendialsAuth) and a customAuthSession. I also use JwtProvider with the CreatePayloadFilter/PopulateSessionFilter filters with UseTokenCookie True. My customAuth provider is creating my customSession inside the OnAuthenticatedAsync. So far so good, that happens once and my token has all the custom data I need. The issue I have is when the token expires and the refreshing of the token happens. Once refreshed, the new token only has the basic IAuthSession and custom data is lost. I understand that is the expected behavior since we do not go through the Authentication again. I understand I need rehydrate my session somehow and update the refreshed payload with it again.

I struggle to find the event in that whole process where to do it… When the session was created at Authentication, I was also reading some request headers and I will also need those values again when the refresh is happening.

Could you please give some directions around that refresh tooken process and how I can simply reapply the ss-tok custom values I had to the new one?

Thanks

mythz · April 14, 2025, 1:18pm

You’ll want to follow or debug into the source code to work out how Access Tokens are created from Refresh Tokens in CreateAccessTokenFromRefreshToken() which creates the Session from the IUserSessionSourceAsync implementation resolved from GetUserSessionSourceAsync() which you can either register in the IOC or have your custom Auth Provider implement.

public interface IUserSessionSourceAsync
{
    Task<IAuthSession> GetUserSessionAsync(string userAuthId, CancellationToken ct);
}

The session that’s returned is then used by CreateJwtBearerToken() to create the JWT which you can intercept in a custom CreatePayloadFilter delegate on JwtAuthProvider.

jbrabant.dev · April 14, 2025, 1:40pm

Thank you so much, will take a look!

jbrabant.dev · April 14, 2025, 5:53pm

Hi Mythz, Do you think it would be possible to add

Task<IAuthSession> GetUserSessionAsync(string userAuthId, IRequest request, CancellationToken ct);

to your interface? Would be nice to end up in the GetUserSessionAsync and have access to the request info.

mythz · April 15, 2025, 2:37am

This change is available from v8.71+ that’s now available in the pre release packages.

Note: whilst IRequest is available when ServiceStack calls it atm, your implementation should treat IRequest as optional param so it’s still usable to use in contexts when IRequest is not available.

jbrabant.dev · April 15, 2025, 10:30am

Awesome! This is why i’ve been with SS for 15 years! Can’t leave without it. Thanks.

mythz · April 15, 2025, 10:47am

Wow you’re one of the OG’s pretty crazy ServiceStack’s been around for so long!

bgiromini · April 15, 2025, 1:17pm

Been using SS since version 3 after working with WCF and desperate for an alternative.