Is it possible to disable session for Strategy?

[TwistTheNeil]

I'm trying to not use session with the openid connect strategy but I run into the error:

TypeError: authentication requires session support

However, I see in the readme that it might be possible to not use session:

// store the code_verifier in your framework's session mechanism, if it is a cookie based solution

I plan on not using cookies so is there an option that I am missing?

Snippets of code:

let opts = {};

const initOIDC = async () => {
  const googleIssuer = await Issuer.discover('https://accounts.google.com');
  console.log('Discovered issuer %s %O', googleIssuer.issuer, googleIssuer.metadata);

  /* Authorize Code Flow */
  /* client object */
  const client = new googleIssuer.Client({
    client_id: process.env.GOOGLE_CLIENT_ID,
    client_secret: process.env.GOOGLE_CLIENT_SECRET,
    redirect_uris: ['http://localhost:3001/oidc/callback'],
    response_types: ['code'],
  });

  /* params object */
  const params = {
    client_id: process.env.GOOGLE_CLIENT_ID,
    response_type: 'code',
    scope: 'openid email profile',
    nonce: generators.nonce(),
    redirect_uri: 'http://localhost:3001/oidc/callback',
  };

  opts.client = client;
  opts.params = params;
  opts.passReqToCallback = true;
};

passport.use('openid', new OIDCStrategy(opts, (tokenset, userinfo, done) => {
  console.log("-----tokenset: ")
  console.log(tokenset);
  console.log("userinfo");
  console.log(userinfo);
}))

/* Endpoints */
app.get('//oidc', passport.authenticate('openid', { session: false, scope: 'profile email openid' }));
app.get('/oidc/callback', passport.authenticate('openid', { session: false, failureRedirect: '/login' }), (req, res) => {
  console.log('i am getting here oh yay or nay');
});

[panva]

Is it possible to disable session for Strategy?

It is not. Binding the state/nonce and other transaction details is a prerequisite for a csrf protected client.

[TwistTheNeil]

Alright, thanks for the quick response!