[oidc-middleware] It should be possible to use multiple instances of ExpressOIDC

[heidemn]

I'm submitting this issue for the package(s):

• [ ] jwt-verifier
• [ ] okta-angular
• [x] oidc-middleware
• [ ] okta-react
• [ ] okta-react-native
• [ ] okta-vue

I'm submitting a:

• [ ] Bug report
• [x] Feature request (pull request will follow...)
• [ ] Other (Describe below)

Current behavior

Currently, it is not possible to use multiple instances of ExpressOIDC in one and the same Node.js app.

Expected behavior

It should be possible. This is e.g. useful together with the "vhost" package.

Minimal reproduction of the problem with instructions

• Create 2 or more Express vhost apps using the "vhost" npm package:
• Create an Express main app
• It is only possible to log in with Okta at one of the vhosts. For other vhosts, you get a state mismatch.

const app1 = express();
const oidc1 = new ExpressOIDC(oidcConfig1);
app1.use(require('express-session')(...));
app1.use(oidc1.router);

const app2 = express();
// ...similar to app1...

const mainApp = express();
mainApp.use(vhost("*.app1.com", app1));
mainApp.use(vhost("*.app2.com", app2));

Extra information about the use case/user story you are trying to implement

Environment

• Package Version: 2.0.0
• Browser: Chrome
• OS: Browser: Win10 / Server: Ubuntu 18.04
• Node version (node -v): v10.15.1
• Other:

[rcollette]

I've run into this. It seems like the PR provided some guidance that should work for this. I need to implement a white labeled site, serving under multiple host names and this is a real blocker.

I'm hoping that perhaps the sign-in-widget with PKCE might be a way around this.

[swiftone]

@rcollette - I cannot promise any movement on this problem, but if you have any details you can share about the general use case, that could be informative.

Would a user be consistently served by the same express instance during their session (so there is no need to share the token among the servers)?

[rcollette]

There can definitely be multiple express instances, either on load balanced servers or multiple forked processes on the same machine. But since Session, and in my case backed by MongoDb, is used for the OIDC middleware, I'm not sure why multiple instances would be a concern.

The use case is that we have a site, having multiple domain names, where the look and feel (chrome) of the site is unique for each domain. This means that a callback on any given instance, must allow the use of multiple trusted host names. A user session would consistently use one host name. If I log on or sign on at a.com then the callback would go to a.com

[swiftone]

Internal ref: OKTA-291513