Calling Developers!
We are reenergizing our code contribution process! Learn More

What are the Slack Archives?

It’s a history of our time together in the Slack Community! There’s a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.

Because this space is not active, you won’t be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..

Hello, does somebody already implemented a token based spryker yves login with access token and refr

UPWG9AYH2 Posts: 509 🧑🏻‍🚀 - Cadet

does somebody already implemented a token based spryker yves login with access token and refresh token? We have an external auth server where the user gets redirected to, when he is not known/anonymous and comes back with some auth code for spryker to be exchanged for an access token …

But for our scenario we have some problems using the standard auth mechanism from spryker for it. As far as i can see, Spryker just checks if there is an active session in the session storage and loads the user from it. Otherwise you get redirected to the sprykers login page where you enter your credentials. So as long the session is there, there is no restriction for the user, This does not fit to the requirement of the expiration time from the access token.

So first idea is that we also just drop the session. The problem is, that when the session is gone, there is no info for at least identifying the user that is now using the shop that we could use to refresh a token. The consequence would be that the user always gets redirected to the login page of the auth server.

My idea is now to left the session lifetime of the customer high but encode the (access tokens) expiration time somehow in the customers session data when creating the symfony token for the token storage. Checking this expiration time on every request and “invalidate” the customer if the time expires, call the zed backend and use the “refresh token” from there (token saved in database?) to issue a new expiration time (or drop the session if the auth server denies refresh)

Unfortunately i am not really familiar with this concepts at all, but it seems a real big roundtrip to me where i wonder if there is already some spryker solution/entry points that i could use or tipps from somebody get this done …



  • Jeremy Fourna
    Jeremy Fourna Lead Product Manager Posts: 130 🧑🏻‍🚀 - Cadet

    Hello Ingo, we are planning to support OpenID Connect protocol in Yves, we already have a support for it in Zed. It works with the session, so we use the 3rd party Identity Manager to login and after that we trust the Spryker session. Will you have time next week to talk about your requirements so that when we officially support Yves, you use cases might be supported.