Make the request available to onCallback #2454
Description
Checklist
- I have looked into the Readme, Examples, and FAQ and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Describe the problem you'd like to have solved
Due to how we implemented step-up auth for MFA management on v3, we need the ability to access the "previous session" in onCallback, so that we can set the new session to be a combination of the previous and incoming session, with an mfa access token set as a new property onto the "old session" and persisted. We've run into a problem when trying to migrate to v4, because the signature of onCallback does not expose the request, so we are unable to call getSession within onCallback to accomplish this.
Example v3 code, using afterCallback:
export const afterCallback = async (
req: NextApiRequest,
res: NextApiResponse,
session: Session,
state: LoginOptions | undefined
) => {
// Previous session is null on initial login
const prevSession = await getSession(req, res)
if (prevSession && session.accessTokenScope?.includes('someParticularScope')) {
prevSession.mfaAccessToken = {
accessToken: session.accessToken,
accessTokenScope: session.accessTokenScope,
accessTokenExpiresAt: session.accessTokenExpiresAt,
}
return prevSession
}
...
}Note: We established this pattern with guidance from Auth0 Professional Services when onboarding a few years back.
Describe the ideal solution
I know that handleCallback receives the request. Our issue could be resolved by either:
- Having
handleCallbackretrieve the "previous session" and pass it into onCallback. This would be pretty niche and would probably not be useful for most users. - Having
handleCallbackpass therequestintoonCallback. This allows users the freedom to use the request as needed, including callinggetSessionto get the "previous session" if needed. I think this would be the most ideal solution.
Alternatives and current workarounds
I can't think of many workarounds if we continue handling step-up auth the same way. We could consider patching the package ourselves, but we'd rather stay on the official release.
Of course another option is to change how we do step-up auth. Instead of having a dedicated "MFA management token" that is thrown away and not refreshable, we could shift to using just our existing "main" JWT and enhancing front-end and back-end checks to verify things like "last authenticated within the past X minutes", and the presence of "amr": ["mfa"] for sensitive operations like editing or disabling MFA. This does seem like a better long-term solution, but it will take us a bit of time to get there. In the meantime, I was hoping to see the feasibility of passing request to the onCallback handler, and seeing if there are any risks to that or if you see any reasons that may not work for us.
Additional context
We use a completely separate JWT to make API calls from our MFA-management account page. This token is a throwaway token, only valid for 5 minutes and NOT refreshable. It is stored into the session on a property we set, mfaAccessToken. To be able to do this, we need access to the previous session data as well as the incoming session data after the callback.