Skip to content

fix: persist JWT session in storage so user identity survives token exchange#146

Open
hrntknr wants to merge 2 commits intomainfrom
fix/persist-jwt-session-in-storage
Open

fix: persist JWT session in storage so user identity survives token exchange#146
hrntknr wants to merge 2 commits intomainfrom
fix/persist-jwt-session-in-storage

Conversation

@hrntknr
Copy link
Copy Markdown
Member

@hrntknr hrntknr commented Apr 16, 2026

Summary

  • models.Request was not serializing the fosite session, causing user identity (sub, userinfo) to be lost during authorization code → access token exchange.
  • Add SessionData field to models.Request to persist the session as JSON.
  • Storage layer (kvs.go, sql.go) now restores the session from stored data when available. For old data without SessionData, the session remains nil (no fallback to empty session).
  • Added E2E test verifying sub and userinfo claims survive the full OAuth flow.
  • Added repository-level tests for session persistence and backwards compatibility.

Type of Change

  • fix: A bug fix

Related Issues

Related to #143

@hrntknr
fix: persist JWT session in storage so user identity survives token e…
1e470ba 
…xchange

The session (sub, userinfo) was lost during authorization code → access
token exchange because models.Request did not serialize the session.
The storage layer then overwrote the stored session with an empty one
passed from handleToken.

Add SessionData field to models.Request to serialize/deserialize the
session. On restore, only populate the session when stored data exists
(no fallback to empty session for old data).
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 16, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 19.04762% with 17 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/repository/kvs.go 0.00% 8 Missing ⚠️
pkg/models/models.go 0.00% 5 Missing ⚠️
pkg/repository/interface.go 66.66% 1 Missing and 1 partial ⚠️
pkg/repository/sql.go 0.00% 1 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@hrntknr hrntknr mentioned this pull request Apr 16, 2026
Open
@ipe4647
Copy link
Copy Markdown
Contributor

ipe4647 commented Apr 23, 2026

I can confirm that this exposes atleast the email value in Entra response under the userinfo path.

Testing config:

- --oidc-scopes=openid,email,profile
- --header-mapping-base=/userinfo
- --header-mapping=/email:X-WEBAUTH-USER
- --oidc-user-id-field=/sub

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hrntknr @ipe4647