how to set user tokens

[OblivionSY]

In the nuxt auth module (https://auth.nuxtjs.org/api/auth/#setusertokentoken-refreshtoken) there was the ability to set tokens. How can this be done using nuxt-oidc-auth please?

We have a token generated for a "anon" user, but one who has validated themselves, so not just ANYONE. Previously, I just set the token to "log them in" as this anon user, without the login mechanism. My alternative would be to manage which auth store I use. this module, or retrieve token from local storage and use that. Advantage with the first was it would handle refreshes etc as part of the built in framework.

Any pointers please?

[itpropro]

This library is implementing OpenID connect. The tokens have to be a response from the respective OpenID connect provider (OAuth 2.0 authorization server).
This server signs it and provides the metadata and jwks endpoints to verify the token against. Without these security measures, you could just use basic auth ;)

[OblivionSY]

Yes, those tokens are generated from the Identity Server, securely, generated via the backend (aspnet) in this case, rather than nuxt UI. There is a machine to machine flow set up, and a token is requested on behalf of this anon user. This returns the token and refresh token which previously in nuxt 2 was able to link into the auth configuration.

If there is no way to add this token into the existing repository (even if I just added to local storage or wherever you store them) I can still save the token myself and if your composable does not think there is a real user, then check for this fake anon user (with a real valid token)

Any further thoughts (and thanks for getting back so quickly)

[itpropro]

The problem is that this libraries focus is the Authorization Code Flow in a confidential client scenario. The tokens that you describe should never be exposed to a client.
M2M flow should only be used in a backend-to-backend scenario and as it is probably using client credential flow (one legged oauth) it should have very short token expiration times and request a new token regularly to make sure that the client credentials are still valid.
Maybe I don't understand your scenario correctly.
If you still want to store the tokens for server side (nitro) usage, you could extend the persistent user session that is stored in the defined unstorage location.
You can check the implementations in the session.ts file that interact with the persistent session to get access to that, but I would recommend not doing that and keep m2m tokens separately in the backend as they should never be mixed up with user tokens.

Please share additional insights if I got your setup or use case wrong :)

[OblivionSY]

I did get the feeling it was focused around the single flow. You are mostly correct in your scenario, but let me clarify both login streams:

1. the user clicks "sign in" and we redirect over to duende identity server, they log in, the IDP sends back tokens etc and follows the Auth flow 100%.

2. we have a user joining a session. They don't want an account, they are just a guest attending a session, will interact with a few features and 2 hours later, have nothing further to do with it. In this case here are the steps we do:

1. user enters name / email into a form in the UI
2. this is submitted to the c# asp.net backend
3. the c# server talks to IDP and makes a temporary account
4. the c# server assigns a known password (all anon users have same password)
5. the c# server then requests a token via the username/password credentials flow
6. the c# server then returns the user token (and maybe refresh, can't remember) to the client nuxt UI
7. the nuxt UI (auth module v2) would take these credentials and use them as normal

So the token is not the M2M token, this remains on the server as true M2M between the IDP and c# server.

Effectively, if I can store the tokens, as if they had done an interactive login, then the issue is solved. when the nuxt app is requesting the token from the nuxt-oidc-auth component, it would have the token there and no other code would need to change.

My only other option, would be to have 2 mechanisms, and add a custom header with an anonymous token. This is not ideal, because all the end points are currently secured with the claims in the user token (currently obtained by the OIDC or by this password credential login mechanims - anon users). so there would be a fair amount to change.

I assumed there would be some way to store the tokens, and will have a look at the file you suggested - thanks.

Hope that clarified the scenario and maybe there was a better way to handle anonymous (but not really anonymous!) user scenarios.