ColdFusion (2025)'s CFOAUTH Tag

coldfusion
ColdFusion (2025)'s CFOAUTH Tag

Back in May of last year, I wrote up a blog post on ColdFusion's oauth tag. This was based on a feature from way back in ColdFusion 11 that I thought I'd take a look at to see if it was useful. I'm not going to repeat the entire previous blog post, but in general... it was almost something I'd recommend.

The tag did a good job of handling creating the right oauth link for you. So you could (after setting stuff up with your provider of course) drop the tag on a page, and when the user hit it, they would be prompted to login with the third party provider. When returned, the tag would handle getting the access token and such and giving you a nice little structure of data for you to use.

I generally dislike my server-side code from doing anything on the client-side, but this felt like a good compromise in regards to what it was doing. That being said, I ultimately could not recommend using the tag as it failed at two crucial aspects:

  • It did not return the expires_in value so you knew how long your access token was valid.
  • It did not return a refresh token, even if you used the right parameters to get that.

I filed a bug report for this and moved on. Now it's over a year later, ColdFusion 2025 was released in the meantime, and it looks like everything was fixed... despite my original bug report not being updated.

From the release notes:

cfoauth changes: The cfoauth tag has been updated to updated to support enhanced workflows and configurations. This release also introduces Microsoft as a new auth type along with Google and Facebook. View the cfoauth tag doc for more information.

Cool! So... does it work better? Absolutely. As I said, I'm not going to repeat everything from the previous post, but this code now works as expected in terms of getting a refresh token and having the expiration value:

<cfoauth type="google" 
    clientId="#application.googleAuth.clientId#" 
    secretkey="#application.googleAuth.clientSecret#" 
	result="result" 
    scope="https://www.googleapis.com/auth/calendar"
    urlparams="access_type=offline&prompt=consent"
    >

<cfif structKeyExists(variables, "result")>
	<cfset session.auth = result>
	<cflocation url="index.cfm" addtoken="false">
</cfif>

That auth struct now contains what I said above, expires_in and refresh_token:

Cool! Even more interesting, according to the reference doc for changes to this tag in CF2025, you can also refresh your access token using the refresh token via the tag, saving you a bit more work.

I hereby now approve usage of this tag. (Allow me to pretend that I somehow dictate how folks use ColdFusion. ;)

Photo by Kaffeebart on Unsplash

Hire Me!

I'm currently looking for my next role in developer evangelism and advocacy. I have a long history of helping companies work with developers and love to write, create demos, and present at conferences. You can find my resume to learn more and drop me an email (raymondcamden@gmail.com) to reach out.

Support this Content!

If you like this content, please consider supporting me. You can become a Patron, visit my Amazon wishlist, or buy me a coffee! Any support helps!

Want to get a copy of every new post? Use the form below to sign up for my newsletter.