JwtAuthProvider not returning AuthUserSession.Meta when authenticating with Bearer, works fine with ss-id cookie

We are storing some user defined parameters in the AuthUserSession.Meta, it is working create when we make our api calls using cookies and passing the ss-id cookie.

Then there was a situation where we were authentication using “Authorization: Bearer” in the header, everything works fine, it authenticates etc. but it doesn’t populate the AuthUserSession.Meta.

Is this by behavior, bug or I need some additional configurations?

Any help is appreciated.


I don’t understand the behavior that you’re expecting, nothing in the JWT Auth Provider populates AuthUserSession.Meta. The JWT payload only persists essential information about the session by default.

If you want to add custom metadata to your JWT and have it populated in your Session you need to add a custom CreatePayloadFilter and PopulateSessionFilter.

So I am already pushing properties such as tenant_id and customer_id using the CreatePayloadFilter which works great.

So my end goal is not to have to Query the DB for each authenticated api call to get the tenant_id and customer_id using the UserAuthId. Since I already have tenant_id and customer_id pushed into the Payload how do I read those two properties on api calls after being authenticated (the goal is to avoid reading the DB each time).


This thread had a clue https://stackoverflow.com/questions/47319430/how-to-add-a-database-retrieved-value-custom-claim-to-jwt-token-using-servicesta/47319758#47319758

I was trying access session.tenant_id and I wasn’t able to, looking at the threat above doing ((CustomUserSession) session).tenant_id worked.

Please see my existing links, what you add to the JWT Payload with CreatePayloadFilter you can use to populate the User Session using PopulateSessionFilter.

Whatever Custom User Session you’ve registered in your AuthFeature constructor, i.e:

Plugins.Add(new AuthFeature(() => new CustomUserSession) { ... });

You can access again using the typed SessionAs<T>() APIs, e.g:

var session = SessionAs<CustomUserSession>();

Which is also available off IRequest if you need to access Typed Sessions outside of a Service, e.g. in Filters