Closed TwistTheNeil closed 5 years ago
I'm trying to not use session with the openid connect strategy but I run into the error:
TypeError: authentication requires session support
However, I see in the readme that it might be possible to not use session:
// store the code_verifier in your framework's session mechanism, if it is a cookie based solution
I plan on not using cookies so is there an option that I am missing?
Snippets of code:
let opts = {}; const initOIDC = async () => { const googleIssuer = await Issuer.discover('https://accounts.google.com'); console.log('Discovered issuer %s %O', googleIssuer.issuer, googleIssuer.metadata); /* Authorize Code Flow */ /* client object */ const client = new googleIssuer.Client({ client_id: process.env.GOOGLE_CLIENT_ID, client_secret: process.env.GOOGLE_CLIENT_SECRET, redirect_uris: ['http://localhost:3001/oidc/callback'], response_types: ['code'], }); /* params object */ const params = { client_id: process.env.GOOGLE_CLIENT_ID, response_type: 'code', scope: 'openid email profile', nonce: generators.nonce(), redirect_uri: 'http://localhost:3001/oidc/callback', }; opts.client = client; opts.params = params; opts.passReqToCallback = true; }; passport.use('openid', new OIDCStrategy(opts, (tokenset, userinfo, done) => { console.log("-----tokenset: ") console.log(tokenset); console.log("userinfo"); console.log(userinfo); })) /* Endpoints */ app.get('//oidc', passport.authenticate('openid', { session: false, scope: 'profile email openid' })); app.get('/oidc/callback', passport.authenticate('openid', { session: false, failureRedirect: '/login' }), (req, res) => { console.log('i am getting here oh yay or nay'); });
Is it possible to disable session for Strategy?
It is not. Binding the state/nonce and other transaction details is a prerequisite for a csrf protected client.
Alright, thanks for the quick response!
I'm trying to not use session with the openid connect strategy but I run into the error:
However, I see in the readme that it might be possible to not use session:
I plan on not using cookies so is there an option that I am missing?
Snippets of code: