-
-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to validate third party auth token on server? #6443
Comments
Can you share your custom auth module? I think you can check this out https://docs.parseplatform.org/js/guide/#custom-authentication-module. |
Sure. This is a small module for Microsoft Graph SSO. The client is responsible for getting a valid OAuth token, and the server just tries to get the user's profile with the given token and make sure the user IDs match between the request and response. I put a breakpoint on the validateAuthData function and it only ever seemed to get called during initial login and never again. Unless I'm missing what triggers re-auth?
|
The session is validated every time in https://github.com/parse-community/parse-server/blob/master/src/Auth.js#L88 . But this checks that the session is stored on parse database. I don't know if you can hook this process and revalidate token against Microsoft. (@davimacedo @dplewis ) Remember that authData is necessary in login time. Maybe revalidate it will downgrade performance. |
I think there is no hook you can use to include an additional validation to the default one (against Parse Server database). Maybe beforeSessionValidation/afterSessionValidation would be a good new feature. In the meantime I'd try to add a middleware to handle this custom validation before Parse Server. |
I wouldn’t even mind something I could call client-side that asks the server to revalidate the current auth data instead of expecting the server to know when to check it. For some apps it may never need to revalidate, but for my use case we are using it to gate access to the app based on our organization’s Microsoft domain, so if you’re no longer an employee access is automatically revoked. That said checking once per app launch would be sufficient. |
You could have an endpoint to invalidate the session when the user is no longer available. Call it when retire the employee from Microsoft domain. Or create a cron process that check the employee status and if it’s needed shutdown the session. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I've got a custom authentication provider on the server, so there is a
validateAuthData
method on the server that works to validate a token. However the client (iOS in this case) only seems to validate the token on first login and never again, it just restores the original token from the keychain each launch.Is there a way to get the system to re-validate the token? The desired behavior would be to revoke the login session (or something equivalent) if the authentication provider no longer validates tokens, like if an account is removed or disabled. Does this already exist?
The text was updated successfully, but these errors were encountered: