ServiceStack v6 JWTAuthProvider doesn't return bearer and resfresh tokens-CodePudding

I downloaded the .NET6 project template from ServiceStack web, fiddling around and successfully setup the authentication using CredentialAuthProvider. However when adding the JwtAuthProvider, it won't return the expected tokens (bearer and refresh) ~ both tested in PostMan and ServiceStack API Explorer. It always return the same response as the CredentialAuthProvider's response as follow:

{
    "userId": "1",
    "sessionId": "MLheS29QdaaynocpNYLN",
    "userName": "[email protected]",
    "displayName": "Admin User",
    "profileUrl": "...",
    "roles": ["Admin"],
    "permissions": []
}

Here is my AuthFeature setup:

var privateKey = RsaUtils.CreatePrivateKeyParams(RsaKeyLengths.Bit2048);
appHost.Plugins.Add(new AuthFeature(() => new CustomUserSession(),
    new IAuthProvider[] {
        new JwtAuthProvider(appSettings)
        {
            HashAlgorithm = "RS256",
            PrivateKeyXml = privateKey.ToPrivateKeyXml(),
            RequireSecureConnection = false,
            SetBearerTokenOnAuthenticateResponse = true, 
        },
        new CredentialsAuthProvider(appSettings),     /* Sign In with Username / Password credentials */
}));

For testing the population of tokens I use the DummyAuthProvider below and add it to the IAuthProvider array:

public class DummyAuthProvider : AuthProvider, IAuthResponseFilter
{
    public DummyAuthProvider() => Provider = "dummy";

    public Task ExecuteAsync(AuthFilterContext authContext)
    {
        //throw new NotImplementedException();
        var jwt = (JwtAuthProvider)AuthenticateService.GetJwtAuthProvider();

        var session = authContext.Session;
        var authService = authContext.AuthService;
        
        var shouldReturnTokens = authContext.DidAuthenticate;
        if (shouldReturnTokens && jwt.SetBearerTokenOnAuthenticateResponse && session.IsAuthenticated)
        {
            if (!jwt.RequireSecureConnection || authService.Request.IsSecureConnection)
            {
                //... will populate jwt tokens
            }
        }
       
        //.. wont populate jwt tokens
    
        return Task.CompletedTask;
    }
}

The result is it actually populated jwt tokens. However the API response NOT include the populated tokens.

Any insight on this is much appreciated.

CodePudding user response：

Please read JWT Changes in latest ServiceStack v6 Release where JWT's are returned in HttpOnly Secure ss-tok Cookie by default.

You can revert to JWT returning Bearer/Refresh Tokens in Response bodies with:

new JwtAuthProvider(AppSettings) {
    UseTokenCookie = false
},

However I'd recommend using the default cookies as it's able to provide improved transparent JWT Token handling with authenticated clients automatically resending JWT Token cookies with each request. Which as it works like normal Session Cookies, it lets your server switch to use stateless JWT Cookies without needing to update existing client authentication.