Comments (7)
I released version 0.4.0, which improves the Redirect
components a bit. This should make it easier to implement your use case. I also created a new example: https://github.com/ctron/yew-oauth2/tree/main/yew-oauth2-redirect-example
from yew-oauth2.
Thanks @ctron. I'll give that a try :)
from yew-oauth2.
Thank for the great feedback! 😄
To my understanding (and I guess there are many opinions on how to do it right), the access token should not be stored.
You are right, what currently happens is that, when you reload, the access token is lost. When redirection is in place, that would redirect you to the oauth provider. And if that figures out that you are still logged in, would automatically redirect you back to the application with a new code, which you can then trade for an access token. So, nothing is stored.
We use that with Keycloak, and it works as expected. However, I guess not everyone wants to do it the same way.
Taking a look at some pages from Auth0: https://auth0.com/docs/secure/security-guidance/data-security/token-storage#browser-in-memory-scenarios
Auth0 recommends storing tokens in browser memory as the most secure option.
And (the note):
The in-memory method for browser storage does not provide persistence across page refreshes and browser tabs.
However, I think it may be a valid use case to store the access (and I guess the refresh token) in the browser local storage. If someone does want to do that. I guess that yew-oauth2
could be enhanced to support that, in addition, when enabled.
The code already stores some state, which is needed to verify the code, and trade in the access token. So that part could also check for an existing access token, and try to use it instead. And when a new token is fetched, that could be stored in the local browser storage.
from yew-oauth2.
got it, thanks ctron! Closing...
from yew-oauth2.
@ctron: When redirection is in place, that would redirect you to the oauth provider. And if that figures out that you are still logged in, would automatically redirect you back to the application with a new code, which you can then trade for an access token.
When I reload my page, this redirection doesn't happen, I only see the <NotAuthenticated/>
view.
How would I go about adding this redirection in for staying logged in, while not storing the token?
from yew-oauth2.
True, as the <NotAuthenticated>
component isn't designed to handle this. For this you would need to use the <Redirect>
component. IIRC, there is no example for this (yet).
What should happen is that it component detects that an authentication context/token is missing, and so it would redirect to the SSO server. If that still has a session active (maybe using cookies or storage) it would immediately redirect back to the application. So for the user, this would be transparent.
I will see if I can add an explicit example for this case.
from yew-oauth2.
I tried to create an example, but found out that Redirect
had a different use case in mind: redirect to a URL once the session expired (or got logged off). I guess I should have documented that better 😀
So I created #6
I think it makes sense supporting this, and I would welcome your input on how to add this (how it would work best for you).
from yew-oauth2.
Related Issues (18)
- Router seems to work fine without the router feature HOT 2
- Client secret param
- Add support for the Next (after 0.19) version of Yew HOT 12
- Provide a way to redirect when not logged in
- Notes on using examples HOT 3
- Could `Config::token_url` be made optional? HOT 5
- Supporting Google OAuth2 HOT 5
- OpenID Connect Client authentication HOT 1
- Store and Reuse AccessToken for Silent Login HOT 1
- redirect_uri_mismatch HOT 7
- Not configurable 'redirect_url' for a openidclient HOT 5
- Support yew 0.21 HOT 1
- Time not implemented on this platform on yew-oauth2-example HOT 3
- Using Auth0 as IDP and manage on Client the redirection. HOT 17
- post_login_redirect doesn't actually redirect if the callback is not used HOT 4
- How to retrieve additional claims from the ID token? HOT 4
- Refresh of access token issue HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yew-oauth2.