Search code examples
node.jspassport.jsopenid-connectgoogle-oauth

Using passport.js (Google OpenID connect) without state/session

I'm trying to use passport-openidconnect without state but I'm unsure of why it doesn't work. I have this working for google-oauth2. I try to specify that state=false but it keeps complaining about state. Could anyone tell me what I'm doing wrong?

The error is:

Error: OpenID Connect authentication requires session support when using state. Did you forget to use express-session middleware?
    at SessionStore.store (/home/nca/projects/oauth-test/node_modules/passport-openidconnect/lib/state/session.js:39:39)
    at /home/nca/projects/oauth-test/node_modules/passport-openidconnect/lib/strategy.js:336:28
    at Strategy.manual [as _setup] (/home/nca/projects/oauth-test/node_modules/passport-openidconnect/lib/setup/manual.js:23:12)
    at Strategy.authenticate (/home/nca/projects/oauth-test/node_modules/passport-openidconnect/lib/strategy.js:274:10)
    at attempt (/home/nca/projects/oauth-test/node_modules/passport/lib/middleware/authenticate.js:361:16)
    at authenticate (/home/nca/projects/oauth-test/node_modules/passport/lib/middleware/authenticate.js:362:7)
    at Layer.handle [as handle_request] (/home/nca/projects/oauth-test/node_modules/express/lib/router/layer.js:95:5)
    at next (/home/nca/projects/oauth-test/node_modules/express/lib/router/route.js:137:13)
    at Route.dispatch (/home/nca/projects/oauth-test/node_modules/express/lib/router/route.js:112:3)
    at Layer.handle [as handle_request] (/home/nca/projects/oauth-test/node_modules/express/lib/router/layer.js:95:5)

Some relevant code:

const oidcOpts = {
  issuer: 'https://accounts.google.com',
  authorizationURL: 'https://accounts.google.com/o/oauth2/v2/auth',
  tokenURL: 'https://www.googleapis.com/oauth2/v4/token',
  clientID: process.env.GOOGLE_CLIENT_ID,
  clientSecret: process.env.GOOGLE_CLIENT_SECRET,
  callbackURL: 'http://localhost:3001/oidccallback',
  redirect_uri: 'http://localhost:3001/oidccallback',
  state: false,
  store: null,
};

passport.use(new OICStrategy(oidcOpts, (issuer, sub, profile, jwtClaims, accessToken, refreshToken, tokens, done) => {
  console.log("-----------------------------")
  console.log(accessToken);
}));

app.get('/login', passport.authenticate('openidconnect', {state: false, session: false}));
app.get('/callback', passport.authenticate('openidconnect', {state: false, session: false, "callback": true, failureRedirect: '/login'}), routes.openidCallback)
Solution

  • It is not possible according to the author of node-openid-client