fusionauth-netcore-client icon indicating copy to clipboard operation
fusionauth-netcore-client copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

exposing client builder to allow httpClient.

Open mark-robustelli opened this issue 1 year ago • 1 comments

DefaultRestClient.cs is the change that will stick. The changes to FusionAuthClient.cs and FusionAuthSyncClient.cs will have to be added to fusionauth-client-bulder. I will add that now.

mark-robustelli avatar Feb 28 '24 17:02 mark-robustelli

Having built my own client to support injecting a HttpClient using IHttpClientFactory as this change supports, you should note that having a single HttpClient can mean that cookies and access tokens are shared across requests.

I have an API that sites between our client application and FusionAuth, if User A renews their token using the /api/jwt/refresh endpoint and then User B tries to do the same afterwards User B will receive User A's JWT/Access token.

This happens as the response from FusionAuth includes a Set-Cookie header (documented here) and the refresh endpoint and I asusme others, use the cookies over the json payload being sent

To get around this and still use IHttpClientFactory (as is best practice) I've had to disable cookies

services.AddHttpClient("my-fusion-client")
    .ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler { UseCookies = false })

Hope this helps someone and saves them the trouble I've had 👍

matt-lethargic avatar Jun 13 '24 12:06 matt-lethargic