Forgive me if this has been asked/addressed previously. We are using JWT tokens with a combination of custom CredentialsAuthProvider, as well as Google, Microsoft, etc. OAuth providers. We have been trying to utilize fully stateless sessions based on JWT token data, with no cache persistence, and thus we use AllowSessionCookies = false in SetConfig(). However, it appears that with Oauth based providers a temporary session (that has no information in it other than a session id) gets created and persisted to Redis (our AppHost is initialized with a RedisCacheClient in IOC). Somehow, that temporary session is fetched & validated during the login sequence. We have not found where this last part happens. The temporary session seems to disappear from Redis after the completion of the OAuth login sequence. Disabling session cookies seems to break this process. For now, we have re-enabled session cookies to allow the OAuth login to work. Are OAuth providers, such as Google, supposed to work without session cookies? How about when JwtAuthProvider.PersistSession = false? If stateful session is required, does it always used the IOC configured cache provider (e.g. Redis) so it can work in a load balanced environment?
During the OAuth webflow It temporarily saves the oauthstate in the session and validates it once it receives the OAuth callback, it won’t use the server session once its completed. It still uses the same registered ICacheClient provider that all sessions do.
Thanks for the confirmation of the behavior. So then, is there a recommended configuration for using JWT with no session persistence? Is setting AllowSessionCookies = false and JwtAuthProvider.PersistSession = false the correct configuration, or is there a different approach that will still allow OAuth the webflow to work properly while subsequent requests do not attempt to load session from Redis or pass session cookies? Thanks again for the guidance.
OAuth currently needs session cookies to work, if you register an in memory
ICacheClient it will only save the temporary session to memory.
I can investigate into rewriting the OAuth providers to send a stateless token instead, but will take some time.
Makes sense - this certainly clarifies things for us. As always, thank you for the very quick replies!