Behavior:
Using passport: 0.5.3, running through appid authorization workflow, successful authentication allows progress through various get urls, handling various interim steps, and ultimately landing on the app landing page.
With all else held stable, installing passport v0.6.0 changes the behavior, cycling through successful authentication and returning to the login screen.
A diff to package-lock.json shows only two differences:
passport @0.5.3 -> @0.6.0
utils-merge@1.0.1 only listed as passport dependency for 0.6.0
Here's a diff of the debug traces, with 0.6.0 on the left and 0.5.3 (working) on the right. Note the undefined GET /ibm/bluemix/appid/callback.., which seems to be the "smoking gun". To reinforce, no code changes or other module changes were made.
Validating Iss and Aud claims Validating Iss and Aud claims
token ver: 4 token ver: 4
token version is valid token version is valid
token aud: 9d13229c-93d8-4a2d-8669-0ef59664bd4c token aud: 9d13229c-93d8-4a2d-8669-0ef59664bd4c
token iss: https://us-east.appid.cloud.ibm.com/oauth/v4/... token iss: https://us-east.appid.cloud.ibm.com/oauth/v4/...
Successfully validated Iss and Aud claims with user defined Successfully validated Iss and Aud claims with user defined
authentication success authentication success
completeAuthorizationFlow :: success { failureRedirect: '/', completeAuthorizationFlow :: success { failureRedirect: '/',
undefined GET /ibm/bluemix/appid/callback... | ::1 GET /ibm/bluemix/appid/callback...
undefined GET / {}... | Checking license acceptance: license acceptance still valid.
::1 GET /public/start.html {}... | handleAuthorization
>
> ::1 GET /spa/ {}...
>
> ::1 GET /spa/styles.f097758609b626ac.css {}...
>
> ::1 GET /spa/main.094f81a9ce4d3fd3.js {}...
>
> ::1 GET /spa/styles.f097758609b626ac.css {}...
>
> ::1 GET /spa/runtime.c7a1c7b6d5629c2b.js {}...
FYI - the full line before the first "undefined" line is (in both versions):
nodejs 14.20.0 passport: 0.6.0 passport-strategy: 1.0.0 ibmcloud-appid: v6.2.6, using appID.WebAppStrategy, AuthMiddleware toke refresh express: 4.18.1 express-session: 1.17.3
Behavior: Using passport: 0.5.3, running through appid authorization workflow, successful authentication allows progress through various get urls, handling various interim steps, and ultimately landing on the app landing page.
With
all else held stable
, installing passport v0.6.0 changes the behavior, cycling through successful authentication and returning to the login screen.A diff to package-lock.json shows only two differences:
Here's a diff of the debug traces, with 0.6.0 on the left and 0.5.3 (working) on the right. Note the
undefined GET /ibm/bluemix/appid/callback..
, which seems to be the "smoking gun". To reinforce, no code changes or other module changes were made.FYI - the full line before the first "undefined" line is (in both versions):
What might have changed for this to happen?
BTW, important, due to vulnerability in passport < 0.6.0