When we initially complete a login, we will run JS on page to populate hidden fields which will populate data such as type and name (session metadata on the refresh token)
This allows for us to persist session data in the RT and the SSO session token. However, if a user has only a FA SSO session (no active AT or RT available), when they obtain a new RT (based on this session), we do not persist any metadata (partly because we are not running this JS from the authorize page on a form post with hidden fields). There may be legitimate reason to not use the same metadata from an SSO session on newly minted RT, but when possible, we should consider copying the metadata from the SSO session to the RT.
Is this a question about how to use FusionAuth? Please consider posting on the FusionAuth forum instead.
(Put issue title here)
Description
When we initially complete a login, we will run JS on page to populate hidden fields which will populate data such as
type
andname
(session metadata on the refresh token)This allows for us to persist session data in the RT and the SSO session token. However, if a user has only a FA SSO session (no active AT or RT available), when they obtain a new RT (based on this session), we do not persist any metadata (partly because we are not running this JS from the authorize page on a form post with hidden fields). There may be legitimate reason to not use the same metadata from an SSO session on newly minted RT, but when possible, we should consider copying the metadata from the SSO session to the RT.
Is this a question about how to use FusionAuth? Please consider posting on the FusionAuth forum instead.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.