Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refresh_token is stored in cookie when using azure oauth #1832

Open
arnemorten opened this issue Jan 30, 2025 · 0 comments
Open

Refresh_token is stored in cookie when using azure oauth #1832

arnemorten opened this issue Jan 30, 2025 · 0 comments
Labels
needs-triage security

Comments

@arnemorten
Copy link

Is your feature request related to a problem? Please describe.
After the recent release of chainlit (f308392) the refresh_token gets stored in the User object which is written to the JWT that is stored in the cookie in chunks as accesstoken_0 and accesstoken_1. I believe this isn't the best security practice and may have CSRF vulnerabilities.

Describe the solution you'd like
I think the refresh token should only be stored in a data layer and not in the User metadata which gets written to JWT.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@arnemorten