I have a Laravel backend application and a React frontend.
I’m using Socialite with Azure configuration to connect my users via Microsoft.
Authentication works, as well as user verification with the access token.
Unfortunately, my users are getting logged out after 1 hour and 20 minutes.
In the $user object, I get a $refreshToken key that should allow me to refresh the access token and keep my user session alive.
However, I’m unsure about how to set up and use this refresh token.
I would like to avoid storing information in a database or session.
How can I proceed? Does Socialite provide a solution for this?
Thank you
public function authRedirectWithAzure(Request $request)
{
try {
$scopes = ['openid', 'profile', 'email', 'offline_access'];
$url = Socialite::driver('azure')->scopes($scopes)->stateless()->redirect()->getTargetUrl();
if ($url) {
return response()->json($url);
}
} catch (Throwable $th) {
return $this->logService->sendLog(
$th->getMessage(),
'Failed to connect to Microsoft Azure.',
$request->ip(),
$request->url(),
'Failed to connect to Microsoft Azure.',
HttpStatus::INTERNAL_SERVER_ERROR,
null
);
}
}
public function exchangeCodeForToken(Request $request)
{
try {
//recuperation de l'user
$user = Socialite::driver('azure')->stateless()->user();
if ($user) {
$token = $user->token;
Log::info(["user" => $user]);
$response = Http::withHeaders([
'Authorization' => 'Bearer ' . $token
])->get('https://graph.microsoft.com/v1.0/me');
if ($response->successful()) {
//création du token
$cookie = cookie('auth_token', $token, 120, '/', null, false, true, false, 'Strict');
//return des infos user avec le cookie
return response()->json([
'userData' => $response->json(),
'message' => 'Authentication successful',
], 200)->withCookie($cookie);
}
} else {
return $this->logService->sendLog(
'error',
'Error to process user data and set cookie response',
'processexchangeCodeForTokenRequest',
$request->ip(),
$request->url(),
"Request to exchangeCodeForToken don't success.",
HttpStatus::INTERNAL_SERVER_ERROR,
null,
null
);
}
} catch (Throwable $th) {
// Catch-all pour tout autre problème inattendu.
return $this->logService->sendLog(
$th->getMessage(),
'Unexpected error during Azure authentication.',
$request->ip(),
$request->url(),
'Unexpected error',
HttpStatus::INTERNAL_SERVER_ERROR,
null
);
}
}
I have read that I can do this with session storage, Http only cookie but this is not what i except.
I was wondering if there was a security issue with the http only cookie because both token and refresh token are together in that cookie?
user22433660 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.