Expose session_state to allow checking identity session using iframe

[nulladdict]

Summary of proposed feature
Add a way to pass session_state from identity provider response to jwt callback

Purpose of proposed feature
session_state parameter is a required part to use in check_session_iframe scenario. By forwarding it to the jwt callback it can be saved to client session and used in the browser to find out if identity session has changed

Detail about proposed feature
Minimal required change would probably be passing req.query.session_state to the jwt callback, although I'm not quite sure in which object or parameter it should be put

Potential problems
session_state is not useful for all scenarios and may not be supported by certain oidc providers

Describe any alternatives you've considered
Polling identity provider with prompt=none, but this causes extra network traffic
Polling introspection endpoint to find if access_token is still valid, but this requires using access_token and having access to introspection

Additional context
More info about oidc session management

Please indicate if you are willing and able to help implement the proposed feature.
I am willing to implement the feature, but I might require some additional guidance as to where to actually put the parameter

[balazsorban44]

Could you check if account.sessoin_state is defined for you in the jwt callback?

We started forwarding the raw results:

next-auth/src/server/lib/oauth/client.js

Line 179 in e293e78

...raw

Not sure in which version we introduced it, but 3.4.1 certainly includes this.

UPDATE: Oh, I may have gotten it wrong. So this parameter is sent to our /callback route as a query string parameter, and you need it in the jwt callback:

next-auth/src/server/routes/callback.js

Lines 12 to 92 in e293e78

	export default async function callback (req, res) {
	const {
	provider,
	adapter,
	baseUrl,
	basePath,
	secret,
	cookies,
	callbackUrl,
	pages,
	jwt,
	events,
	callbacks,
	session: {
	jwt: useJwtSession,
	maxAge: sessionMaxAge
	}
	} = req.options
	// Get session ID (if set)
	const sessionToken = req.cookies?.[cookies.sessionToken.name] ?? null
	if (provider.type === 'oauth') {
	try {
	const { profile, account, OAuthProfile } = await oAuthCallback(req)
	try {
	// Make it easier to debug when adding a new provider
	logger.debug('OAUTH_CALLBACK_RESPONSE', { profile, account, OAuthProfile })
	// If we don't have a profile object then either something went wrong
	// or the user cancelled signing in. We don't know which, so we just
	// direct the user to the signin page for now. We could do something
	// else in future.
	//
	// Note: In oAuthCallback an error is logged with debug info, so it
	// should at least be visible to developers what happened if it is an
	// error with the provider.
	if (!profile) {
	return res.redirect(`${baseUrl}${basePath}/signin`)
	}
	// Check if user is allowed to sign in
	// Attempt to get Profile from OAuth provider details before invoking
	// signIn callback - but if no user object is returned, that is fine
	// (that just means it's a new user signing in for the first time).
	let userOrProfile = profile
	if (adapter) {
	const { getUserByProviderAccountId } = await adapter.getAdapter(req.options)
	const userFromProviderAccountId = await getUserByProviderAccountId(account.provider, account.id)
	if (userFromProviderAccountId) {
	userOrProfile = userFromProviderAccountId
	}
	}
	try {
	const signInCallbackResponse = await callbacks.signIn(userOrProfile, account, OAuthProfile)
	if (signInCallbackResponse === false) {
	return res.redirect(`${baseUrl}${basePath}/error?error=AccessDenied`)
	} else if (typeof signInCallbackResponse === 'string') {
	return res.redirect(signInCallbackResponse)
	}
	} catch (error) {
	if (error instanceof Error) {
	return res.redirect(`${baseUrl}${basePath}/error?error=${encodeURIComponent(error)}`)
	}
	// TODO: Remove in a future major release
	logger.warn('SIGNIN_CALLBACK_REJECT_REDIRECT')
	return res.redirect(error)
	}
	// Sign user in
	const { user, session, isNewUser } = await callbackHandler(sessionToken, profile, account, req.options)
	if (useJwtSession) {
	const defaultJwtPayload = {
	name: user.name,
	email: user.email,
	picture: user.image,
	sub: user.id?.toString()
	}
	const jwtPayload = await callbacks.jwt(defaultJwtPayload, user, account, OAuthProfile, isNewUser)

[nulladdict]

Yes, session_state is only present in the initial response with code (I'm using Identity Server 4, authorization code flow), it's not present when the code is exchanged to access_token, although I'm not sure how standard this behaviour is

[balazsorban44]

Yes, we are using IDS4 at work too, and actually came across this query parameter while debugging something just today! Forwarding it to jwt would be super easy, although I don't know in which param should it be either. Should it be a new one...? We already have 5 params, in the next major release, I definitely want to turn it into named parameters...

@iaincollins any suggestions? New param, add it to one of them? Which one?

@nulladdict I haven't read through the spec very carefully yet, so do you expect us to do anything else than give you this param for now? I guess in the future we could do more out-of-the-box if we have a better grasp of this spec.

[nulladdict]

I think just having access to the session_state is fine, forwarding it to the client and polling the iframe should be trivial, example can be found here: oidc-client-js

[balazsorban44]

So #1698 could expose session_state in the account object in jwt and signIn, once finished.

See also: https://github.com/panva/node-openid-client/blob/main/docs/README.md#new-tokensetinput

[stale]

Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep it open. (Read more at #912) Thanks!

[balazsorban44]

Sorry, this hasn't been forgotten, but still needs some work. Wearing many hats at the moment. 🎩😊

[balazsorban44]

@nulladdict if you are still following, I created a temporary version for you to check out!

We aim for a v4 release this summer, and session_state will be available as mentioned above.

Here: npm i next-auth@0.0.0-pr.1698.d16e2ddc

There are quite a few breaking changes that are documented in the https://github.com/nextauthjs/next-auth/releases pre-release release notes. There will be migration documentation when we are close to the actual release.

[balazsorban44]

There is a workaround actually, that should work in 3.x already.

// [...nextauth].js
export default function auth(req, res) {
  return NextAuth(req, res, {
    callbacks: {
      jwt() {
        const sessionState = req.query.session_state
      }
    }
  })
}

[nulladdict]

Thanks, I'll check it out when I have time to go through api changes

[balazsorban44]

I am confident that this will be resolved in the above mentioned PR, so I'll close this now. when v4 is released, feel free to check and report back here if it wasn't the case. we can reopen then. 😊