Typescript client and convert session to token

I have a authentication flow on a SPA type page like:

  • /auth/customoauth
  • redirects to oauth server
  • redirects back
  • user is directed to authorized path
  • call ConvertSessionToToken which automatically sets the ss-tok cookie

When the user arrives to the authorized path the first time there is no ss-tok cookie. The thing is I didn’t see any methods on the typescript jsonclient to indicate whether it knows about this state or not. I know that I can convert this session easily enough to a jwt token (ConvertSessionToToken) which populates the ss-tok cookie but if I refresh the page the convert to session is called again. My questions are, should I manually check for the ss-tok cookie and/or is there any harm is calling ConvertSessionToToken again?

The typescript client doesn’t seem to have a GetTokenCookie method which would help in this case. Also, It is a little unclear to me what happens when that cookie expires with regards to the typescript client. Is it smart enough to know how to refresh it?

You can’t check for the ss-tok cookie in JS as it’s HttpOnly, you can try check to see if it was redirect back from the OAuth server and not a refresh or you could call a protected service like /auth to check you don’t get a 401 (to determine if you’re authenticated). But calling ConverSessionToToken again shouldn’t make a difference as it creates a new Session from the JWT Session and sends it back.

If the cookie expires you’ve lost your JWT (i.e. Users Session) so the user will no longer be authenticated. You don’t get a RefreshToken from an OAuth Redirect, only when you Authenticate with the Server, e.g. using Credentials or an API Key. If you had a RefreshToken you could save it in localStorage and populate the JsonServiceClient with it onload and it will automatically fetch a new JWT BearerToken, but you don’t get a RefreshToken for OAuth so the user will need to login to their OAuth provider again, although most OAuth providers provide an auto redirect back after the first time the User has granted access so should be pretty seamless.