search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Verify callback never invoked #317

Closed himanshusinghs closed 3 years ago

himanshusinghs commented 3 years ago

Description: Here's the code:

const app = require('express')();
const { Strategy } = require('openid-client')
const passport = require('passport');

(async () => {
    const issuer = await Issuer.discover('some_discovery_url');
    const client = new issuer.Client({
        client_id: 'some_client_id',
        client_secret: 'some_client_secret',
        redirect_uris: ['https://some-domain.com/login/callback'],
    });

    app.use(passport.initialize());

    passport.use('oidc', new Strategy({
        client,
        params: { scope: 'openid email' }
    }, (tokenset, done) => {
        console.log('claims', tokenset.claims());
        // See I am never calling done. The request cycle should hang here but it doesn't, neither does the log above shows up.
    });

    app.get('/login', passport.authenticate('oidc', { session: false }));
    app.get('/login/callback', (req, res, next) => {
        passport.authenticate('oidc', { session: false }, (error, strategyResponse) => {
            if (error) {
                res.json({ error });
            } else if (!strategyResponse) {
                res.json({ message: "Not authenticated" });
            } else {
                res.cookie('session_cookie') // And so on
                res.end();
            }
        });
    });
})();

I am expecting the app to hang because I don't call the done in verify callback but it doesn't, instead I receive false as the value of strategyResponse which is unexpected. Is there anything that I might be missing out.

To Reproduce

// Issuer configuration (issuer.metadata) and how it is constructed (discovery or manual?)
discovery
// Client configuration (client.metadata) and how it is constructed (fromUri or manual?)
{
  client_id: 'some_client_id',
  client_secret: 'some_client_secret',
   redirect_uris: ['https://some-domain.com/login/callback'],
}

Expected behaviour App above is supposed to hang up but it proceeds and ends the request with "Not authenticated" message

Environment:

panva commented 3 years ago

@himanshusinghs the strategy is tried and tested. I can see { session: false } which a) i'm not sure what it does, b) the strategy requires session support.

himanshusinghs commented 3 years ago

@panva Thanks for your prompt reply. Appreciate it. I have some clarifications to be presented. a) session: false is used to disable sessions, in case you are developing for a REST api which is the case for me. But even if I allow app to use session the problem stays the same. b) I am not sure that it does. Because for Okta the strategy works fine with the configuration I posted above. It's failing for an OnTrack based provider.

panva commented 3 years ago

This strategy is for end-user sign-in, not protecting APIs.

himanshusinghs commented 3 years ago

That I know and I am not using it in that way. Post login, tokens are generated and API guards are taken care of separately. My problem is exactly as I wrote in the original post. Verify callback not being invoked.

I was only hoping to get pointed out for something suspicious, like session: false but unfortunately enabling that also doesn't work. I will continue my investigation on this but thanks a lot for your help. Will update the thread once I find something. :)

arealmaas commented 3 years ago

It's been a while, but did you find anything @himanshusinghs 😆