-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session Mode Missing Doc Explanation #22435
Comments
As a workaround it would be nice to know how to generate an access_token and refresh_token out of the session token, as the session token is not the same. |
If you have a session token then you have already logged in. Logging in is what returns you the token for the mode used. That token is then used to authenticate to endpoints in the API.
This would be the same as any other endpoint. Do a request with the session cookie set in the headers. Since the browser handles cookie management for you this may require extra configuration/dependencies/etc for a native non-browser platform.
I'm no expert in native mobile development but my first instinct would be that there are probably options to deal with cookies (considering thats a commonly used method of authentication on the web) however if they cant support cookies for some reason i would assume there'd be a platform specific secure form for storing credentials.
Cookies are passed as a header too! But there is a bunch of extra logic surrounding it in browsers dealing with domain security / js access / formatting the header / parsing response cookies and such. |
Well the problem is with native SSO login the following: you are in the app, you open the browser for the SSO login and get authenticated in the browser. Now the Directus instances redirects the user to the mobile app. So it is required to pass the token to the app somehow. or I would need somehow to set and get the session token from within the app. |
Could you otherwise tell me how to create/get access and refresh tokens within a custom endpoint from the session token? this would work as a workaround. |
Also using cookies would have the negative effect, when using a native app, the user would be logged out when the browser cache is resseted. |
Created a temporary workaround to get refresh token for "session" auth providers: #22427 |
So quick curiosity in this native workflow, do you really need the session mode? It doesnt look like you are actually sharing the SSO login between the native app and the directus instance which would mean there is no real need to be "compatible with the browser data studio" 🤔 Couldnt you open the browser directly to the SSO provider of your users choice ( |
Well I am open in the native browser the SSO provider directly. But this causes that the app is left and the native browser is opened. This results in not being able from within the app to access the cookie. export const ButtonAuthProvider = ( {provider}: SsoProvider) => {
}; |
So i am a little confused now
How were you doing this before? because before session mode was introduced you had to use |
Before I used the Json mode. And I let the user redirect to a custom Directus endpoint. This endpoint took the „refresh_token“ and added it to a redirect to the native app deep link |
The current workaround uses the session mode and creates a new refresh token and adds this also to the redirect. |
So then what was stopping you from carrying on with this original workflow? this authentication is unrelated to the Directus Studio authentication and specific to the native app as far as im reading |
You are totally correct. But regarding the increasing native app amount, it would be beneficial for Directus to also support these kind of native auth flows. For me I will stick to this workaround but I would love to see a support of this also as for SDK clients. |
Page
https://docs.directus.io/reference/authentication.html#login
Describe the Inaccuracy
Okay, so first, sorry to bother with this topic. But as now the default moves to the new "sesseion" mode, alot of things are now making life hard.
The documentation is missing how to login with a directus_session_token. As for our native app users we would like to safe somewhere the credentials the question arises, how to safe the session token?
Also the question arises, how to refresh with a passed session token?
As the directus SDK client does not support SSO logins for native app users, we have no clue on how to give them access to the app, as we need somehow to pass the token to the users. It is also neccessary to pass the tokens in headers for getting images, as we cannot rely on cookies always.
The text was updated successfully, but these errors were encountered: