Error: did not find expected authorization request details in session, req.session["oidc:https://wpp.okta.com"] is undefined when session cookie "Same-Site"="Strict"

SethCaparelli commented 2 years ago

I'm submitting a:

[X ] Bug report
[ ] Feature request
[ ] Other (Describe below)

Current behavior

When setting "Same-Site"="Strict" on the session cookie, the following error is thrown:

Error: did not find expected authorization request details in session, req.session["oidc:https://wpp.okta.com"] is undefined at /usr/src/app/node_modules/openid-client/lib/passport_strategy.js:126:13 at OpenIDConnectStrategy.authenticate (/usr/src/app/node_modules/openid-client/lib/passport_strategy.js:174:5) at attempt (/usr/src/app/node_modules/passport/lib/middleware/authenticate.js:366:16) at authenticate (/usr/src/app/node_modules/passport/lib/middleware/authenticate.js:367:7) at Layer.handle [as handle_request] (/usr/src/app/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (/usr/src/app/node_modules/express/lib/router/index.js:317:13) at /usr/src/app/node_modules/express/lib/router/index.js:284:7 at Function.process_params (/usr/src/app/node_modules/express/lib/router/index.js:335:12) at next (/usr/src/app/node_modules/express/lib/router/index.js:275:10) at SessionStrategy.strategy.pass (/usr/src/app/node_modules/passport/lib/middleware/authenticate.js:343:9)```

The issue occurs randomly in chrome, but consistently in Safari and Fire Fox

Expected behavior

No error thrown when setting session cookie "Same-site"= "strict"

Minimal reproduction of the problem with instructions

Set the following session:

session({ secret: "SECRET", resave: false, saveUninitialized: false, cookie: { httpOnly: true, secure: true, sameSite: "strict" } })

Extra information about the use case/user story you are trying to implement

Environment

Package Version:
Browser: Safari, Fire Fox
OS: MacOS Montery Version 12.0.1
Node version (node -v): v14.17.5
Other:

mariohmol commented 2 years ago

I'm having this issue even without this flag

https://github.com/okta/okta-oidc-js/issues/271#issuecomment-979457358

oleksandrpravosudko-okta commented 2 years ago

Thanks for reporting this @SethCaparelli. Internal Ref: OKTA-448945

jaredperreault-okta commented 2 years ago

The reason an error is being thrown when using sameSite=strict in this configuration breaks the oidc flow. This article does a good job explaining, but essentially strict prevents the cookie with the authenticate info from being returned to the server.

Here is some additional info

I believe the reason you're experience intermittent issues with Chrome is, as of version 80, has changed the default behavior of cookies in regards to secure and sameSite. More Info on Chrome changes

Microsoft had warned back in January that sites and applications that rely on OpenID-based federation could be affected by the SameSite change. There were updates to .NET to support the new SameSite attribute. Enterprise IT administrators should have made changes to how the cookies are being handled by now to avoid issues with single sign-on and internal applications.

mbyrne00 commented 1 year ago

Hi @jaredperreault-okta .... thanks for the info, but the article you linked suggests that there is something that can be done to circumvent this ... that oidc flow itself isn't necessarily broken ... just that the existing flow is broken. Auth0 says "we got you covered". Just checking is there an update to the specific Okta implementation of the flow that can be done to accommodate? Any tweaks to this lib that allow some other means of validating the response/state?

As already mentioned, if you’re a customer of Auth0, then be sure we’ve got you covered. We already have changes in progress on the service side to get rid of those pesky Javascript console warnings.

We’re also going through our SDK libraries, reviewing their use of cookies and making sure we update those that need to be updated well before this change goes into effect for regular users. So, again, be sure to check and update your SDKs periodically and be on the lookout for any advisories in their README and CHANGELOG as well as your Auth0 Dashboard Notifications for any actions required.

harshit-sigmoid commented 2 months ago

Hey Did anyone get the solution yet also wanted toknow if useing CookieSession will help here? @mbyrne00 @joearanbayev-okta please let me know if you guyz have a solution for above error

My configs are:: app.js---> import express from "express";

import expressSession from "express-session"; import oidc from "./oktaMiddleware/oktaConfig.js"; const app = express();

// Middleware app.use(express.json()); app.use( expressSession({ secret: process.env.EXPRESS_SECRET_KEY, // Replace with a strong secret key resave: true, saveUninitialized: false, }) );

// OIDC setup oidc.on("ready", () => { logger.info("Okta OIDC middleware is ready"); });

oidc.on("error", (err) => { logger.error("Okta OIDC middleware error", err); });

app.use(oidc.router);

OKta is instantiated in different folder like:"

import oidcMiddleware from "@okta/oidc-middleware";

const oidc = new oidcMiddleware.ExpressOIDC({ issuer: process.env.OKTA_ISSUER_ID, client_id: process.env.OKTA_CLIENT_ID, client_secret: process.env.OKTA_CLIENT_SECRET, redirect_uri: process.env.OKTA_REDIRECT_URI, appBaseUrl: process.env.OKTA_BASE_URL, scope: "openid profile email", routes: { loginCallback: { path: "/authorization-code/callback", defaultRedirect: "/profile", }, }, post_logout_redirect_uri: process.env.OKTA_REDIRECT_URI, });

export default oidc;

okta / okta-oidc-middleware