PKCE & token endpoint

[kh-pgodoy]

Hi, I finally got my hands in a project using this library with PKCE activated. The issue arises when I have to get the jwt token from the token endpoint. I'd assume, this is automatically done when this function is called on the callback step, but token and tokenSecret comes empty.

 const strategy = new Strategy(strategyObject, function (
      token,
      tokenSecret,
      profile,
      cb
    ) {
      USER_PROFILE_DATA = profile;
      return cb(null, profile);
    });

Let's assume because this doesn't work due to some IDP config thing, and I could just simply do the call to the token endpoint manually, because I know the url and I got the authorization code. But!,then what I need is the code_verifier, as it is one of the parameters needed (per doc https://www.oauth.com/oauth2-servers/pkce/authorization-code-exchange/) How can I get the code_verifier the library uses behind the scenes? TIA

[jaredhanson]

I'm not following your question here. The verify callback you pasted above seems to be using passport-oauth1. OAuth 1.0 doesn't have PKCE, and OAuth 2.0 doesn't have token secrets. The verify function to passport-oauth2 should be as follows:

function(accessToken, refreshToken, profile, cb) {
    //...
  }

I suspect you are incorrectly configuring your strategy. As I've mentioned, the PKCE details are handled internally by this library and not exposed to the application, which shouldn't need them.

[kh-pgodoy]

Thanks, changed that but still nothing. I used the same structure for the facebook/twitter passport library and I'm getting info on the parameters accessToken, refreshToken, profile, cb :thinking:, as if the verify function were never called.

[jaredhanson]

Facebook uses OAuth 2.0 and Twitter uses OAuth 1.0, so their verify callbacks are also different. Which one are you using, and what are the values you are getting?

[kh-pgodoy]

Let's use FB as an example. I'm using the verify function as shown in the example on the readme.

const strategy = new Strategy(strategyObject, function ( accessToken, refreshToken, profile, cb ) { DATA = { accessToken, refreshToken, profile

  };
  console.log(DATA);
  return cb(null, profile);
});
passport.use(strategy);

console.log(DATA) results

  accessToken: 'EAAlBZBu9QJLwBsG34ym5fFZBHfKFJbZCL3eOz1E25iravCiP3lOlbRUcezpp4Oyz1JhSfL1GzDd4r1nZATT9uwHenurWvTOvbUwZC16NLBHcVMm2bcZCDE8clFtz8Uya2fuNJ3HTeyl6VOI0zgrIcCiZCObZAbOnsWHRXdRoOzmr7cPZC8QCKZA6E0S8y8BbkN4ufQmWLpRfLA98S7MKzjH3QftGvpkdyemDA92ic2Vte6WwZDZD',
  refreshToken: undefined,
  profile: {
    id: '1373413419534902',
    username: undefined,
    displayName: 'Juan  Perez',
    name: {
      familyName: undefined,
      givenName: undefined,
      middleName: undefined
    },
    gender: undefined,
    profileUrl: undefined,
    emails: [ [Object] ],
    provider: 'facebook',
    _raw: '{"id":"1373413419531902","name":"Juan Perez","email":"someguy\\u0040gmail.com"}',
    _json: {
      id: '1373413419531902',
      name: 'Juan  Perez',
      email: 'someguy@gmail.com'
    }

}

When I try the same with the oauth2 one, the console.log not even shows up. When I took a look while debugging everything is empty as well. Like I said, as that verify function is never called during the callback

[jaredhanson]

What's the behavior when the callback route is being called? You mention the verify callback is not called, so is the request hanging? Does it error? If it errors, what is the message?

What OAuth 2.0 server is being used? Do you know what response it is returning to your app? There's a lot of missing details here that make it hard to provide any guidance.

This strategy most certainly works with PKCE, so there's something else in your setup that is causing trouble, and the questions above will help isolate it.

[kh-pgodoy]

Thanks for taking the time of answering, I was writing down a comment with a lot of details until I realized the issue. A silly one as always, but I'm going to put it here in case other people fall into the same.

The callback endpoint I created to be used in the callback route didn't have passport.authenticate() as part of the route to act as an express middle-ware

Per documentation:

app.get('/auth/facebook/callback', passport.authenticate('facebook', { failureRedirect: '/login' }), function(req, res) { // Successful authentication, redirect home. res.redirect('/'); });

After doing that change, I got the jwt token without caring too much about the other details I was going crazy about. Thanks again for your help.