![]() I then add to it Hasura's custom claims, and then sign this thing using a different RSA key, known by the Hasura server. Once I complete my implementation, I plan to write a tutorial about Next.js + FusionAuth + Hasura.Īfter signing in, I grab the accessToken prop and very manually run it through jsonwebtoken.verify using the public key stored on FusionAuth and hold a reference to that object. I'm no security expert, and I'd be happy if you could vet the process at a high level to make sure I'm not doing anything blatantly naive. But before I get into it, please let me describe what I did. I like the userinfo api more, although introspect does return all the claims, including iat and exp. I was not yet aware of both the userinfo and introspect apis, so thanks again for letting me know about them. It's extremely powerful, and because of that I struggled a bit getting to know all the features. Honestly, FusionAuth has been a revelation. I spent the weekend on it, and I have been successful. OAuth and Authorization Code Grant Workflow.Josh Additional Links about JWT that might be helpful: This is a bit longer because I wanted to give you some general guidance and feedback. I have used NextJS and NextAuth only sparingly, but similar example applications are built using the OAuth protocol in React (here) and VueJS (here). You may want to review how you are connecting all your architecture pieces to determine why you need to modify those claims. In my growing experience, those iat and exp are reserved (for security reasons). I will let you know if anything else pops to mind. The following claims are considered reserved and modifications or removal will not be reflected in the final JWT payload: FusionAuth also protects certain reserved claims. However, you may not modify the header keys or values of the JWT. You may add or modify anything in the jwt object. However, the populate lambda documentation prohibits modifying the iat and exp claims. Off the top of my head, if you can customize claims on a token with FusionAuth's lambda functionality: If you want to access your user via API, you can also use endpoints like the registration to get more information about your user. All of this is linked in the documentation as well as concisely here under OAuth. In fact, if you are using an OAuth workflow you can use the userinfo and introspect to decode that access token and associated claims. If you are looking to read the access token's iat and exp value issued by FusionAuth - that should be achievable. I am not familiar with NextAuth and its requirements. ![]() ![]() Hi you got some traction on refresh tokens! Is there a way and is it safe to decode and grab all values from account.accessToken? It looks like it contains exactly all props I need, together with exact iat and exp. These values are passed to NextAuth by FusionAuth in the account.accessToken property on the jwt callback event. In order to enhance NextAuth token with required Hasura custom claims, I need to set a new iat and exp value. At this point I have another question though: Below is the code, however I still have to implement the token refresh logic. I was able to hit the right endpoint, found here after all. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |