If you look at the documentation session/me is a CORS call from the browser, it won’t work from the server side: Sessions.
The other possible way to check if they have a session (and it will extend it) is to force an authorization call asking for a token, but with the option to NOT do authentication (silent mode). When they come back to your app they’ll either have the token or the request failed because they aren’t logged in.
I sincerely hope I’m on the right track to answering your question.
Hi, i kinda incorrectly writed what i had in mind. It’s on client side, i just want to use it and pass through nonce/state parameter to server side. I’m calling this code after user logged into browser so he should have active session. Or if there is anything else which i can bind as unique session i would like to use it, tried to get externally from browser idx cookie but request do not return it and JSESSION is dynamic when i need something static to check later.
By externally i mean i’m fetching default browser data not creating my own browser session in selenium or anything like that.
I think we need to back up, because I see some gaps in what you are trying to explain. First of all, are you dealing with a web application written in Python (Flask? Django?), or a single page application (JavaScript) running on the client side and you are trying to control access to a Python web service (API)?
I don’t think it’s any of them but more similiar to web app.
Client side is in python but it does not contain flask or django, instead i’m using apache on different host which is server machine. I have connection between me and different machine to transfer data and it create kinda weird way to handle OAuth. I’m transmitting data to client side using two protocols (Not only http/s) so basically i’m sending some data back from server to display website after login and then for the rest im using another.
So both web server which is used for redirect uri and web page is on server side when initial request is on client side, it’s more desktop client app? I’m not that experienced so i’m not sure
I think your view of how things work is getting in the way. The only place the user actually authenticates is the identity provider (IdP). The IdP provides an ID token and access token to the application. It doesn’t matter if the application is a single-page application running in the browser or a web application. So the application trusts what the IdP gives it and considers the user to be authenticated. In a web application this usually results in a session being created for the user. It sounds like the application the user is seeing is a web application that serves HTML pages?
I am still really confused about what you are trying to do after that. Whether a web app or a single-page application, it is up to the application to decide if the user is still logged in to it, that’s not a function of the IdP. Maybe the session in a web app expires, or the user clicks a logout link.
Normally if your app depends on another service, the best way is to use an access token from the IdP with every call to tell that service who the user is and what they are authorized to do. But, your application can use any kind of communication it wants with another service, it’s up to that service to decide if it trusts the application. So I am really confused as to what you are trying to build here
