Maintain Session with Custom JWT

[abh-j]

Hi,

I am trying to use NextAuth as auth provider for my project. I have a requirement where I have Credential based login/password. In this case when I login I have to pass the username/password to the custom API (for ex.: abc.com/auth/login). This API as success will return me a JWT for future communication to access their resources.

What I understood from NextAuth that it maintain its own session and JWT(if DB not provided). This feature works in my case but I have to maintain the JWT which the API has returned me(mentioned above). So now there are two JWT one which I received from API and the one which NextAuth has created.
My question:

1. Is there a way which I can use to maintain the custom JWT which I received from API?
2. Is there a way if API token has been expired to tempered so I can kill NextAuth session.
3. What is the best way to keep NextAuth Session and Custom JWT token in sync?

Please suggest.

[balazsorban44]

Hi there, you could check out the jwt and session callbacks to save your received jwt token https://next-auth.js.org/configuration/callbacks

When you receive your token on signin, you can also utilize the signIn callback to validate it, and if you deem it invalid, just return false in the signIn callback.

[emulienfou]

Hi @balazsorban44 trying to achieve the same thing here.
However if you are returning false from the signIn callback you will be redirected to the Access Denied error page.

Secondly, the signIn callback do not received the token but the complete payload of the token using the credentials provider.

Is their a solution to just disable the JWT token genration from Next-Auth, and save directly as a cookie the token provided by an API?

[abh-j]

@balazsorban44 : I do have the same issue, where Next-Auth is generating session cookie with this name next-auth.session-token. In my case I would need to set the JWT token received from Credentials instead of which is generated by Next-Auth.
Could you please help here to provide some solution where I can set cookie value as the JWT received from Credential call success rather Next-Auth generated.

[balazsorban44]

Currently, next-auth will generate its own JWT that will be saved in the cookie, no support for using comletly external tokens the way you would want to (if I understand you correctly) though you can save access and refresh tokens in the jwt session with the earlier mentioned callbacks. I'm not entirely sure, but I guess it's som sort of a security measurement on our and, @iaincollins may have more info.

[emulienfou]

Okay I found a part of the solution here. So currently I let next-auth generate the JWT token which contains the same payload as the one provided by my API (I currently disabled the token signature verification in my API).

I updated the next-auth configuration to have a save token in cookie has httpOnly: false so I can access the token server and client sides by adding this in my configuration:

const options = {
   // ...
   cookies: { sessionToken: { name: `next-auth.session-token`, options: { httpOnly: false } } },
}

After that I'm using this code to get the JWT token to be passed to my API calls from the server and client sides:

import cookies from 'next-cookies'
import Cookies from 'js-cookie'

// Server-Side
cookies(context)['next-auth.session-token']
// Client-side
Cookies.get('next-auth.session-token')

Now need to figured out how to save my JWT token provided by my API instead of using the one generated by next-auth.
Then I will be able to reactivate the signature verification in my backend API.