Open Panthaaaa opened 4 years ago
Just chiming in with another use case relating to refresh cookies, which also use the same Condition in several spots.
I am experimenting with a combination of Bearer and Cookies in an SPA as outlined in this article as well as some of the other articles referenced there (e.g. hasura.io). Briefly, the idea is to keep the access token in memory, and persist the refresh token in an HttpOnly path-specific Cookie so that it will be automatically sent on refresh token requests. This avoids saving it in local storage.
I implemented this by extending the AccessRefreshTokenLoginHandler
and implementing my own LogoutHandler
to set and remove the cookie. This seems to work fine, but I had thought it might work OOB by just specifying the refresh token cookie configuration, and then after I realized it didn't, I thought I could reuse the existing RefreshTokenCookieConfiguration
. If the condition were changed, this might work without additional changes in logout (e.g. JwtCookieClearerLogoutHandler
), but I think the AccessRefreshTokenLoginHandler
would need to be modified to actually set the cookie. I'm wondering if this is something that makes sense for the project or whether this use case is too specialized.
@Panthaaaa If you are using external tokens then the value should be micronaut.security.authentication: idtoken
, which will enable that bean the same as cookie
@matt-snider I think I understand what you want to achieve, but that isn't related to this issue I don't think. You can file a new issue and explain in detail what we could do to improve this library
io.micronaut.security.token.jwt.cookie.JwtCookieConfigurationProperties requires io.micronaut.security.authentication.CookieBasedAuthenticationModeCondition which should only be used if login/logout is handled by micronaut. We use header and cookie based auth with externally (keycloak) provided tokens and don't want to enable login/logout in micronaut.
This was added a few weeks ago by #397 at https://github.com/micronaut-projects/micronaut-security/blob/b03a7a64e08eefd216b13c9ccdae7befc71114e9/security-jwt/src/main/java/io/micronaut/security/token/jwt/cookie/JwtCookieConfigurationProperties.java#L38
Task List
Steps to Reproduce
@Secured
Expected Behaviour
JWT with Cookies should work like documented only by setting micronaut.security.token.jwt.cookie settings and not micronaut.security.authentication to cookie.
Actual Behaviour
micronaut.security.authentication needs to be set to
cookie
to enable reading JWT cookies. Otherwise the request errors with 401 and the following log is written:Environment Information
micronautVersion=2.1.1 application.yml security config
Example Application